Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SPECIFICATIONS.exe

Overview

General Information

Sample name:SPECIFICATIONS.exe
Analysis ID:1572499
MD5:f55f417cb656aeddb7e17504bbf28102
SHA1:844a465a09bfe6ea4d75f6dfad9f318538ae1891
SHA256:f9f3ab7e1e35b79ad0451c58423219c56e9222c60c54ef78e608de0796ca5347
Tags:exeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SPECIFICATIONS.exe (PID: 6484 cmdline: "C:\Users\user\Desktop\SPECIFICATIONS.exe" MD5: F55F417CB656AEDDB7E17504BBF28102)
    • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • InstallUtil.exe (PID: 6640 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • CasPol.exe (PID: 5880 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • jsc.exe (PID: 528 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • jsc.exe (PID: 1560 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • WerFault.exe (PID: 6584 cmdline: C:\Windows\system32\WerFault.exe -u -p 6484 -s 1216 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • newapp.exe (PID: 7508 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • newapp.exe (PID: 7720 cmdline: "C:\Users\user\AppData\Roaming\newapp\newapp.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
    • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "ben@ercolina-usa.com", "Password": "nXe0M~WkW&nJ"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000005.00000002.4502632182.0000000002F2C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.4501166919.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000002.4501166919.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.4502632182.0000000002F01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.jsc.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              5.2.jsc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                5.2.jsc.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x359dc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x35a4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x35ad8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x35b6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x35bd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x35c46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x35cdc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x35d6c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                5.2.jsc.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x32bec:$s2: GetPrivateProfileString
                • 0x32272:$s3: get_OSFullName
                • 0x33969:$s5: remove_Key
                • 0x33b29:$s5: remove_Key
                • 0x34aa1:$s6: FtpWebRequest
                • 0x359be:$s7: logins
                • 0x35f30:$s7: logins
                • 0x38c41:$s7: logins
                • 0x38cf3:$s7: logins
                • 0x3a7be:$s7: logins
                • 0x3988d:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 15 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newapp\newapp.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe, ProcessId: 528, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newapp

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "ben@ercolina-usa.com", "Password": "nXe0M~WkW&nJ"}
                  Multi AV Scanner detection for submitted file
                  Source: SPECIFICATIONS.exeReversingLabs: Detection: 57%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: SPECIFICATIONS.exeJoe Sandbox ML: detected

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SPECIFICATIONS.exe PID: 6484, type: MEMORYSTR
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: SPECIFICATIONS.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: o0C:\Windows\mscorlib.pdb1 source: newapp.exe, 0000000B.00000002.2170556471.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, newapp.exe, 0000000E.00000002.2251666294.0000000000958000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: uC:\Windows\dll\mscorlib.pdb source: newapp.exe, 0000000E.00000002.2251865825.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbx source: newapp.exe, 0000000B.00000002.2170820592.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Core.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: jsc.pdb source: newapp.exe, 0000000B.00000000.2166396796.0000000000882000.00000002.00000001.01000000.00000008.sdmp, newapp.exe.5.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: mscorlib.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: jsc.pdb8 source: newapp.exe, 0000000B.00000000.2166396796.0000000000882000.00000002.00000001.01000000.00000008.sdmp, newapp.exe.5.dr
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Windows.Forms.pdb0 source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Management.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Drawing.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: mscorlib.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Management.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: newapp.exe, 0000000B.00000002.2170820592.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Core.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERE724.tmp.dmp.9.dr
                  Source: Joe Sandbox ViewIP Address: 192.254.225.136 192.254.225.136
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: ftp.ercolina-usa.com
                  Source: jsc.exe, 00000005.00000002.4502632182.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4502632182.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4502632182.00000000030C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ercolina-usa.com
                  Source: jsc.exe, 00000005.00000002.4502632182.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4502632182.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4502632182.00000000030C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.ercolina-usa.com
                  Source: jsc.exe, 00000005.00000002.4502632182.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2345233326.000002BDB7261000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4501166919.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2345233326.000002BDB7261000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4501166919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4502632182.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: jsc.exe, 00000005.00000002.4502632182.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: jsc.exe, 00000005.00000002.4502632182.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, SKTzxzsJw.cs.Net Code: KdRT1gFnIpl
                  Source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.raw.unpack, SKTzxzsJw.cs.Net Code: KdRT1gFnIpl
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 5.2.jsc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.jsc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeCode function: 0_2_00007FF848F1F6190_2_00007FF848F1F619
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeCode function: 0_2_00007FF848F12A2C0_2_00007FF848F12A2C
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeCode function: 0_2_00007FF848F22D790_2_00007FF848F22D79
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeCode function: 0_2_00007FF848F234420_2_00007FF848F23442
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeCode function: 0_2_00007FF848F1D44D0_2_00007FF848F1D44D
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeCode function: 0_2_00007FF848F1A4D00_2_00007FF848F1A4D0
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeCode function: 0_2_00007FF848F16FB80_2_00007FF848F16FB8
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeCode function: 0_2_00007FF848F2348F0_2_00007FF848F2348F
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeCode function: 0_2_00007FF848FF00000_2_00007FF848FF0000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_02D94A685_2_02D94A68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_02D9EB205_2_02D9EB20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_02D93E505_2_02D93E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_02D941985_2_02D94198
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_02D919805_2_02D91980
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_02D9ADB05_2_02D9ADB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A047A45_2_06A047A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A06A125_2_06A06A12
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A01B785_2_06A01B78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A01F305_2_06A01F30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A05D425_2_06A05D42
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A05D485_2_06A05D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A156A85_2_06A156A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A166D85_2_06A166D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A17E605_2_06A17E60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A135685_2_06A13568
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A1B2FF5_2_06A1B2FF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A1C2605_2_06A1C260
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A177805_2_06A17780
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A127285_2_06A12728
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A1E4905_2_06A1E490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A15DCF5_2_06A15DCF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A100405_2_06A10040
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6484 -s 1216
                  Source: SPECIFICATIONS.exeStatic PE information: No import functions for PE file found
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2345233326.000002BDB7261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename4050351b-3b81-4030-83d1-4403e211abfe.exe4 vs SPECIFICATIONS.exe
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2345233326.000002BDB7261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEfuguhumagegucimF vs SPECIFICATIONS.exe
                  Source: SPECIFICATIONS.exeBinary or memory string: OriginalFilenamePatekPorot.exe4 vs SPECIFICATIONS.exe
                  Source: 5.2.jsc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.jsc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: SPECIFICATIONS.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9991910626601196
                  Source: SPECIFICATIONS.exe, --------.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@15/10@2/2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile created: C:\Users\user\AppData\Roaming\newappJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMutant created: NULL
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6484
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
                  Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\2877ffe5-0ded-49ae-944b-8e216f136eacJump to behavior
                  Source: SPECIFICATIONS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: SPECIFICATIONS.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: SPECIFICATIONS.exeReversingLabs: Detection: 57%
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeFile read: C:\Users\user\Desktop\SPECIFICATIONS.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\SPECIFICATIONS.exe "C:\Users\user\Desktop\SPECIFICATIONS.exe"
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6484 -s 1216
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: SPECIFICATIONS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: SPECIFICATIONS.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.ni.pdbRSDS source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: o0C:\Windows\mscorlib.pdb1 source: newapp.exe, 0000000B.00000002.2170556471.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp, newapp.exe, 0000000E.00000002.2251666294.0000000000958000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: uC:\Windows\dll\mscorlib.pdb source: newapp.exe, 0000000E.00000002.2251865825.0000000000AF6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbx source: newapp.exe, 0000000B.00000002.2170820592.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Core.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: jsc.pdb source: newapp.exe, 0000000B.00000000.2166396796.0000000000882000.00000002.00000001.01000000.00000008.sdmp, newapp.exe.5.dr
                  Source: Binary string: System.Windows.Forms.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: mscorlib.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: jsc.pdb8 source: newapp.exe, 0000000B.00000000.2166396796.0000000000882000.00000002.00000001.01000000.00000008.sdmp, newapp.exe.5.dr
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Windows.Forms.pdb0 source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Management.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Drawing.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: mscorlib.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Management.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: newapp.exe, 0000000B.00000002.2170820592.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Core.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.ni.pdb source: WERE724.tmp.dmp.9.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERE724.tmp.dmp.9.dr
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeCode function: 0_2_00007FF848F17967 push ebx; retf 0_2_00007FF848F1796A
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeCode function: 0_2_00007FF848FF0000 push esp; retf 4810h0_2_00007FF848FF0312
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A05350 pushfd ; ret 5_2_06A05669
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A0AF01 push es; ret 5_2_06A0AF10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A068E0 pushad ; retf 5_2_06A068E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A068E2 push esp; retf 5_2_06A068E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A05662 pushfd ; ret 5_2_06A05669
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 5_2_06A0F550 push es; ret 5_2_06A0F560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile created: C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newappJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newappJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: SPECIFICATIONS.exe PID: 6484, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA72B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLP
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA72B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeMemory allocated: 2BDA6F60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeMemory allocated: 2BDBF250000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2EB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: E90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 2C90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 4C90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 2700000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 2940000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeMemory allocated: 2740000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sysJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sysJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeFile opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sysJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599327Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599108Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598999Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598778Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598449Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598338Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597764Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596999Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596662Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596202Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595764Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595539Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595260Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595155Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594827Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594499Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594062Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 2498Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 7347Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep count: 34 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7332Thread sleep count: 2498 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -599874s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7332Thread sleep count: 7347 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -599765s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -599656s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -599546s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -599437s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -599327s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -599218s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -599108s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -598999s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -598890s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -598778s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -598671s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -598562s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -598449s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -598338s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -598219s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -597764s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -597656s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -597546s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -597437s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -597328s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -597218s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -597109s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -596999s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -596890s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -596781s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -596662s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -596531s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -596421s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -596312s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -596202s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -596093s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -595984s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -595874s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -595764s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -595656s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -595539s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -595421s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -595260s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -595155s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -595046s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -594937s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -594827s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -594718s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -594609s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -594499s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -594390s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -594281s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -594171s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7316Thread sleep time: -594062s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7572Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 7768Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599327Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 599108Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598999Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598778Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598449Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598338Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 598219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597764Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 597109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596999Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596662Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596202Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 596093Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595764Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595539Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595421Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595260Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595155Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 595046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594827Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594499Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 594062Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA72B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUP
                  Source: Amcache.hve.9.drBinary or memory string: VMware
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA72B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                  Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.9.drBinary or memory string: vmci.sys
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                  Source: Amcache.hve.9.drBinary or memory string: VMware20,1
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA72B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
                  Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                  Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA72B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREP
                  Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA72B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareP
                  Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA7251000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
                  Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA72B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA72B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIP
                  Source: jsc.exe, 00000005.00000002.4506819412.0000000006140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA72B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
                  Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: SPECIFICATIONS.exe, 00000000.00000002.2344463767.000002BDA72B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: SPECIFICATIONS.exe, --------.csReference to suspicious API methods: GetProcAddress(_05BC_05FE_FB1E_05FB_05B8_05C6_05C8_05BA_05C8, _05BC_05C5_0597_05B1_05A9_05C8_05C5_059C_FB1E_05F5_05ED_05BA_05ED_0596_05BD_05B5_05FC_05BB_05B9_05CA_0591)
                  Source: SPECIFICATIONS.exe, --------.csReference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)_059A_05CE_059A_05F7_05ED_05F8_05FE_0590_05C9_05B1_0599_05AA.Length, 64u, out var _05B4_05CF_059D_05A3_05B5)
                  Source: SPECIFICATIONS.exe, --------.csReference to suspicious API methods: LoadLibrary(array5[0])
                  Source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, zOS.csReference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 440000Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 442000Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: D9D008Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
                  Source: jsc.exe, 00000005.00000002.4502632182.00000000030A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q8<b>[ Program Manager]</b> (10/12/2024 21:24:49)<br>{Win}THbq
                  Source: jsc.exe, 00000005.00000002.4502632182.00000000030A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: jsc.exe, 00000005.00000002.4502632182.00000000030A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR]q
                  Source: jsc.exe, 00000005.00000002.4502632182.00000000030A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q3<b>[ Program Manager]</b> (10/12/2024 21:24:49)<br>
                  Source: jsc.exe, 00000005.00000002.4502632182.00000000030C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <html>Time: 12/27/2024 10:27:17<br>User Name: user<br>Computer Name: 675052<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.175<br><hr><b>[ Program Manager]</b> (10/12/2024 21:24:49)<br>{Win}r</html>
                  Source: jsc.exe, 00000005.00000002.4502632182.00000000030A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q9<b>[ Program Manager]</b> (10/12/2024 21:24:49)<br>{Win}rTHbq
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeQueries volume information: C:\Users\user\Desktop\SPECIFICATIONS.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeQueries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SPECIFICATIONS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 5.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4502632182.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4501166919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4502632182.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2345233326.000002BDB7261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SPECIFICATIONS.exe PID: 6484, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 528, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 5.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4501166919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4502632182.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2345233326.000002BDB7261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SPECIFICATIONS.exe PID: 6484, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 528, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 5.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SPECIFICATIONS.exe.2bdb72dbf08.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SPECIFICATIONS.exe.2bdb729ecc0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.4502632182.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4501166919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.4502632182.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2345233326.000002BDB7261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SPECIFICATIONS.exe PID: 6484, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 528, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  Registry Run Keys / Startup Folder                  		212
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Registry Run Keys / Startup Folder                  		1
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		341
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Software Packing                  		NTDS2
                  Process Discovery                  		Distributed Component Object Model21
                  Input Capture                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets261
                  Virtualization/Sandbox Evasion                  		SSH1
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items261
                  Virtualization/Sandbox Evasion                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Hidden Files and Directories                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572499 Sample: SPECIFICATIONS.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 31 ftp.ercolina-usa.com 2->31 33 ercolina-usa.com 2->33 35 api.ipify.org 2->35 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 7 other signatures 2->55 7 SPECIFICATIONS.exe 3 2->7         started        10 newapp.exe 2 2->10         started        12 newapp.exe 1 2->12         started        signatures3 process4 signatures5 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->59 61 Writes to foreign memory regions 7->61 63 Injects a PE file into a foreign processes 7->63 14 jsc.exe 16 4 7->14         started        19 WerFault.exe 19 16 7->19         started        21 conhost.exe 7->21         started        27 3 other processes 7->27 23 conhost.exe 10->23         started        25 conhost.exe 12->25         started        process6 dnsIp7 37 ercolina-usa.com 192.254.225.136, 21, 49707, 49708 UNIFIEDLAYER-AS-1US United States 14->37 39 api.ipify.org 104.26.13.205, 443, 49704 CLOUDFLARENETUS United States 14->39 29 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 14->29 dropped 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->41 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->43 45 Tries to steal Mail credentials (via file / registry access) 14->45 47 4 other signatures 14->47 file8 signatures9

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SPECIFICATIONS.exe58%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                  SPECIFICATIONS.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\newapp\newapp.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ercolina-usa.com
                  		192.254.225.136
                  		truetrue
                    		unknown
                    api.ipify.org
                    		104.26.13.205
                    		truefalse
                      		high
                      ftp.ercolina-usa.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orgSPECIFICATIONS.exe, 00000000.00000002.2345233326.000002BDB7261000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4501166919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4502632182.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://upx.sf.netAmcache.hve.9.drfalse
                              		high
                              https://account.dyn.com/SPECIFICATIONS.exe, 00000000.00000002.2345233326.000002BDB7261000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4501166919.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                https://api.ipify.org/tjsc.exe, 00000005.00000002.4502632182.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejsc.exe, 00000005.00000002.4502632182.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://ftp.ercolina-usa.comjsc.exe, 00000005.00000002.4502632182.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4502632182.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4502632182.00000000030C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://ercolina-usa.comjsc.exe, 00000005.00000002.4502632182.00000000030A5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4502632182.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.4502632182.00000000030C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        192.254.225.136
                                        		ercolina-usa.comUnited States
                                        		46606UNIFIEDLAYER-AS-1UStrue
                                        104.26.13.205
                                        		api.ipify.orgUnited States
                                        		13335CLOUDFLARENETUSfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1572499
                                        Start date and time:2024-12-10 16:28:09 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 8m 23s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:17
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:SPECIFICATIONS.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.expl.evad.winEXE@15/10@2/2
                                        EGA Information:
                                        • Successful, ratio: 50%
                                        HCA Information:
                                        • Successful, ratio: 90%
                                        • Number of executed functions: 104
                                        • Number of non-executed functions: 6
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.190.147.2, 4.175.87.197, 13.107.246.63
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target newapp.exe, PID 7508 because it is empty
                                        • Execution Graph export aborted for target newapp.exe, PID 7720 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                        • VT rate limit hit for: SPECIFICATIONS.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        10:29:05API Interceptor10118940x Sleep call for process: jsc.exe modified
                                        10:29:30API Interceptor1x Sleep call for process: WerFault.exe modified
                                        16:29:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                        16:29:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        192.254.225.136TECHNICAL SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                          uLFOeGZaJS.exeGet hashmaliciousAgentTeslaBrowse
                                            RICHIESTA D'OFFERTA.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                              QUOTATION#09678.exeGet hashmaliciousAgentTeslaBrowse
                                                PURCHASE SPCIFICIATIONS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  LISTA DE COTIZACIONES.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    QUOTATION#5400.exeGet hashmaliciousAgentTeslaBrowse
                                                      QUOTATION#2800-QUANTUM MACTOOLS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        QUOTATION#2800-QUANTUM MACTOOLS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          2JHGWjmJ46.exeGet hashmaliciousAgentTeslaBrowse
                                                            104.26.13.205BiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                                                            • api.ipify.org/
                                                            lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                                                            • api.ipify.org/
                                                            Simple1.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/
                                                            2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • api.ipify.org/
                                                            file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                            • api.ipify.org/
                                                            file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                            • api.ipify.org/
                                                            file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                            • api.ipify.org/
                                                            Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                            • api.ipify.org/
                                                            file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                            • api.ipify.org/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            api.ipify.orgEEMsLiXoiTzoaDd.scrGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 172.67.74.152
                                                            Statement 2024-11-29 (K07234).exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            Employee_Letter.pdfGet hashmaliciousHTMLPhisherBrowse
                                                            • 104.26.13.205
                                                            1mr7lpFIVI.exeGet hashmaliciousUnknownBrowse
                                                            • 104.26.12.205
                                                            jKDBppzWTb.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            enyi.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.13.205
                                                            proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            x.ps1Get hashmaliciousPureLog Stealer, QuasarBrowse
                                                            • 104.26.12.205
                                                            file.exeGet hashmaliciousQuasarBrowse
                                                            • 104.26.13.205
                                                            Xeno Executor.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                            • 104.26.13.205

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUSST07933.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 104.21.67.152
                                                            fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.177.134
                                                            http://abercombie.comGet hashmaliciousUnknownBrowse
                                                            • 104.18.86.42
                                                            https://listafrica.org/Receipt.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                            • 172.64.41.3
                                                            https://github.com/Matty77o/malware-samples-m-h/blob/main/TheTrueFriend.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.135.232
                                                            https://wetransfer.com/downloads/a83584fea59b11ef1e94d36869e8790020241209234540/89744b9472f9ce1b5e3b4ada79f2184c20241209234540/7041ff?t_exp=1734047140&t_lsid=42d44d78-6d8f-48db-8db5-5efa0c86786d&t_network=email&t_rid=ZW1haWx8Njc0ZjQ5YTNiNjM1NTFjNmY2NTg0N2Zj&t_s=download_link&t_ts=1733787940&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01Get hashmaliciousUnknownBrowse
                                                            • 104.26.1.90
                                                            https://webradiojaguar.net/FNB-POP.pdfGet hashmaliciousUnknownBrowse
                                                            • 1.1.1.1
                                                            PO2412010.exeGet hashmaliciousFormBookBrowse
                                                            • 104.21.64.1
                                                            https://zfrmz.com/wE0Jw9HNvGeKZ1fn5cBUGet hashmaliciousUnknownBrowse
                                                            • 104.17.25.14
                                                            7gxaFDUSOD.exeGet hashmaliciousStealcBrowse
                                                            • 104.21.56.70
                                                            UNIFIEDLAYER-AS-1USExternalREMITTANCE ACH SCHEDULED 1210241424bec0c449d38092c0dbd844252d73 (24.0 KB).msgGet hashmaliciousUnknownBrowse
                                                            • 69.49.245.172
                                                            la.bot.arm6.elfGet hashmaliciousMiraiBrowse
                                                            • 162.215.31.89
                                                            la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                                            • 198.58.93.231
                                                            https://xxx.cloudlawservices.com/fROBJ/Get hashmaliciousHTMLPhisherBrowse
                                                            • 69.49.230.198
                                                            Play_VM-NowCRQW.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 69.49.230.198
                                                            https://webservice.ucampaign.unear.net/UmailTracking/t.aspx?p=64620006&c=MTI2NjMxOA==&up=46435316&e=jlim@vvblawyers.com&l=MTczODQ=&i=1126&u=aHR0cHM6Ly9zcGhleGFtcy5jb20vLndlbGwta25vdy8/MHM1N2RiPU1UTW1NVE1tTVRNbU1UTW1RakVtUmpRbWIySnhkRWN6SmtRMEprMTFiSGR5VkdoSGVVdFpMaTQ1U2pOWU5sSnlhbVk2Y2tZMEpqTXpKblY1Wm5VdWIyWmxaV3BwTXpNbVJUUW1kSFJpYldReE15WnZZbkYwUkRRbVFqRW1SalFtYlc1MWFVY3pKa1EwSmtJeEprWTBKbnBsY0dOSE15WkVOQ1pDTVNaR05DWjZaWEJqUkRRbVFqRW1SalFtWldKbWFVY3pKa1EwSmtJeEprWTBKbVp0ZW5WMFJ6TW1SRFFtTVRNbU1UTW1NVE1tTVRNbVFqRW1SVGdtTVRNbU1UTW1NVE1tTVRNbU1UTW1NVE1tTVRNbU1UTW1RakVtUXpRbWIyWmxaV3BwTVRNbVFqUW1lblZxYldwamFuUnFkekV6SmpFekpqRXpKakV6SmpFekpqRXpKakV6SmpFekpqRXpKakV6SmpFekpqRXpKa0l4SmtNMEptWjFhbWw0TVRNbVFqUW1jM0J0Y0dReE15WXhNeVl4TXlZeE15WXhNeVl4TXlZeE15WXhNeVl4TXlZeE15WXhNeVl4TXlaQ01TWkRPQ1l4TXlaMWVXWjFMbTltWldWcWFTOHhNeVl4TXlZeE15WXhNeVl4TXlZeE15WXhNeVl4TXlaQ01TWkdOQ1ptYlhwMWRFUTBKakV6SmpFekpqRXpKakV6SmtJeEprWTBKbVp0ZFdwMVJ6TW1SRFFtWm01d1NVWTBKbVp0ZFdwMVJEUW1NVE1tTVRNbU1UTW1NVE1tUWpFbVJ6TW1LekV6Sm1aek1UTW1aV1ZpTVRNbVJUUW1SVFFtUlRRbVJUUW1SVFFtUlRRbVJEUW1NVE1tSzBjekpqRXpKakV6SmtZMEpqTXpKa1UwSmpFelkyczJSR054UjFoamIwTkdaWHRYU0dWemVtZHNkSHBtYVdkdWMydGxhVFF6SmtjekptWnpSek1tWldSSE15WjRjRzlzTG0xdFpuZ3ZSek1tYUhOd0wyWnRZbTl3YW50aWIzTm1kVzlxYjJadVlrY3pKa2N6SmtJMEpuUnhkWFZwUlRRbWJYTjJRelFtTXpNekprVTBKblZ2Wm5WdmNHUXhNeVl6TXlacGRHWnpaMlp6TXpNbVJUUW1kMnAyY21ZdWNYVjFhVEV6Sm1KMVptNUVOQ1l4TXlZeE15WXhNeVl4TXlaQ01TWkdOQ1l6TXlZNUxrZFZWak16SmtVMEpuVm1kSE5pYVdReE15WmlkV1p1UkRRbU1UTW1NVE1tTVRNbU1UTW1RakVtUmpRbVpXSm1hVVEwSmtJeEprWTBKbTF1ZFdsRU5DWkNNU1pHTkNadlluRjBSek1tUkRRbVpHczNhRnBXUkRRbWRIczFUVVUwSmt4WWJYZ3hUMUZuWkZoUVdYTjdOWGRIT1h0UlJUWW1RMDlHTkNZek15WjFlV1oxTG05bVpXVnFhVE16SmtVMEpuUjBZbTFrTVRNbWIySnhkRVEwSmtJeEpnPT0=Get hashmaliciousHTMLPhisherBrowse
                                                            • 192.185.25.241
                                                            http://crissertaoericardo.com.br/images/document.pif.rarGet hashmaliciousGuLoaderBrowse
                                                            • 192.185.217.125
                                                            https://mpleho.com/wd/Get hashmaliciousPhisherBrowse
                                                            • 69.49.234.173
                                                            AWB_5771388044 Documente de expediere.exeGet hashmaliciousFormBookBrowse
                                                            • 108.179.253.197
                                                            Marsha Rowland Signature Required.pdfGet hashmaliciousUnknownBrowse
                                                            • 192.185.35.240

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0eST07933.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            • 104.26.13.205
                                                            fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 104.26.13.205
                                                            Ref_31020563.exeGet hashmaliciousUnknownBrowse
                                                            • 104.26.13.205
                                                            Ref_31020563.exeGet hashmaliciousUnknownBrowse
                                                            • 104.26.13.205
                                                            xUPaeKk5wQ.msiGet hashmaliciousAteraAgentBrowse
                                                            • 104.26.13.205
                                                            7gBUqzSN3y.msiGet hashmaliciousAteraAgentBrowse
                                                            • 104.26.13.205
                                                            PO-8776-2024.jsGet hashmaliciousRemcosBrowse
                                                            • 104.26.13.205
                                                            New Order Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            Bunker_STS_pdf.vbsGet hashmaliciousUnknownBrowse
                                                            • 104.26.13.205
                                                            Hesap_Hareketleri_10122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 104.26.13.205

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            C:\Users\user\AppData\Roaming\newapp\newapp.exeSecuriteInfo.com.Win32.Malware-gen.27656.20815.exeGet hashmaliciousBlackshades, QuasarBrowse
                                                              LisectAVT_2403002B_109.exeGet hashmaliciousBlackshadesBrowse
                                                                LisectAVT_2403002B_486.exeGet hashmaliciousRedLineBrowse
                                                                  CSXER09OOPMND--3098376TDGH.exeGet hashmaliciousNanocoreBrowse
                                                                    PI and payment confirmed pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                      3SBlY301oa.exeGet hashmaliciousXWormBrowse
                                                                        z9order.exeGet hashmaliciousAgentTeslaBrowse
                                                                          Halkbank_Ekstre_20240626_0805893_4585894.xlxs.exeGet hashmaliciousAgentTeslaBrowse
                                                                            hesaphareketi-01.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                              kSf9sIgyxl.exeGet hashmaliciousNanocoreBrowse

                                                                                Created / dropped Files

                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SPECIFICATIONS.e_ac7470a4318affd3ab562a594613aefb5d44f54_b596bc7b_7f693ab5-20cd-47d5-ba8e-d10ca3bd5ef5\Report.wer

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):65536
                                                                                Entropy (8bit):1.1142526433024709
                                                                                Encrypted:false
                                                                                SSDEEP:192:vkvOqTOc0UnUVaWB2WItazuiFbZ24lO8L:UOqTIUnUVam2SzuiFbY4lO8L
                                                                                MD5:E7C495A696D970B046C37AC54446B0D0
                                                                                SHA1:DBEB2516D504A0C3A9D626269902DFE9BD9E9242
                                                                                SHA-256:F8A6407DCB081D636C6694FED38608C412B303356C7ED6FF452FD09FDA972D0A
                                                                                SHA-512:936E111EACEBA228721B85CF3B51EAFC057C140F56417362B8BABB2267729EB914E476D54ECC98C586705A96E2A96A3A2CD9A6259BE3EC89C4E5F7F787B979C0
                                                                                Malicious:false
                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.3.1.8.1.4.2.1.5.4.5.9.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.3.1.8.1.4.2.8.4.2.1.2.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.6.9.3.a.b.5.-.2.0.c.d.-.4.7.d.5.-.b.a.8.e.-.d.1.0.c.a.3.b.d.5.e.f.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.9.0.0.a.2.b.-.b.d.b.8.-.4.c.7.9.-.b.5.d.4.-.2.9.5.3.3.6.5.d.6.1.f.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.P.E.C.I.F.I.C.A.T.I.O.N.S...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.a.t.e.k.P.o.r.o.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.4.-.0.0.0.1.-.0.0.1.4.-.c.1.8.7.-.b.2.3.b.1.8.4.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.4.e.6.1.b.e.1.7.c.0.b.8.7.5.b.8.b.9.a.3.b.7.9.5.1.1.f.a.e.7.d.0.0.0.0.0.0.0.0.!.0.0.0.0.8.4.4.a.4.6.5.a.0.9.b.f.e.6.e.a.4.d.7.5.f.6.d.f.a.d.9.f.3.1.8.5.3.8.a.e.1.8.9.1.!.S.P.E.C.

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE724.tmp.dmp

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:Mini DuMP crash report, 16 streams, Tue Dec 10 15:29:02 2024, 0x1205a4 type
                                                                                Category:dropped
                                                                                Size (bytes):441585
                                                                                Entropy (8bit):3.411909227449702
                                                                                Encrypted:false
                                                                                SSDEEP:3072:16G8eeG1AGZSV3/4RcSbNtFofoyHS/QoqtuXFy27U/I1CCqERAF88X3+vVhq:AGz1AGZyv0bNtFbGIUgqEC3Q3
                                                                                MD5:687AB5CB029E22FAB2565BF1EF821AB6
                                                                                SHA1:C400632934175538ED8E4E98C9C11832B11D6818
                                                                                SHA-256:BAB2EDE47BBD119DA0D0824CF75170A61804F9F7E84979A2E90730F07BEC728E
                                                                                SHA-512:B52187374724BE60112638ABD10E9DEC0467D658AF8BE1BFBC10224537340F5AACF1EA27BCA4594BF21DD3C41342EE76CF1F7E1D88D5D8C3597D121DF829472B
                                                                                Malicious:false
                                                                                Preview:MDMP..a..... .......>^Xg....................................$....!..........8!.......O..............l.......8...........T...........@/...............@...........B..............................................................................eJ......hC......Lw......................T.......T...;^Xg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE88C.tmp.WERInternalMetadata.xml

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):8810
                                                                                Entropy (8bit):3.714534480184789
                                                                                Encrypted:false
                                                                                SSDEEP:192:R6l7wVeJpncM+T6YEIbLF5tsgmf+74Qprt89b5PkfPGTm:R6lXJyp6YEApsgmfS4P58fb
                                                                                MD5:3D2DA25795C84E9986100FAF9158B94F
                                                                                SHA1:C2E1C6D8138363DCFBF6CDD03B9ECD82FFA60385
                                                                                SHA-256:299DB734C263AA9B972D352AE2CE9D76C78D251AE9EF5CAA1DFA80EF218AC8BB
                                                                                SHA-512:BD5F0B645A8314ACF4702855834A9C03F46735D95D6EE0CE86C2BDA45DDC9EFC936CBF78CC48475A4ADE4C0F6FCE8DA66B12089D0C034E3C5A0A4F5FD7AB9C2A
                                                                                Malicious:false
                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.4.<./.P.i.

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8EB.tmp.xml

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):4778
                                                                                Entropy (8bit):4.554762685234558
                                                                                Encrypted:false
                                                                                SSDEEP:48:cvIwWl8zsFuJg771I9MoSWpW8VYlYm8M4JQ+FByyq85zgsTCCb3d:uIjfFkI7rW7VBJS5OCCb3d
                                                                                MD5:2AA49A38C6899EAF2ECEFC609DA0A8F2
                                                                                SHA1:A93DDFF2D72555E26C8D9116BACFE12F140C0971
                                                                                SHA-256:D3759533AAED556F2C411BADC0A7807A37136C1173BEA6A1580137AEAA5A7C02
                                                                                SHA-512:0BB77B8AF5E21DBCB572A5F95F811BAF38EEB921EE5FEF326CC17654D9FD18A479973FE8C6AAB2D2B35D935129BA405F53A7A041661DFFB09A8F87C7FFDBD87A
                                                                                Malicious:false
                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="625351" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newapp.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):42
                                                                                Entropy (8bit):4.0050635535766075
                                                                                Encrypted:false
                                                                                SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                                                                                MD5:84CFDB4B995B1DBF543B26B86C863ADC
                                                                                SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                                                                                SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                                                                                SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                                                                                Malicious:false
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                                                                                C:\Users\user\AppData\Roaming\newapp\newapp.exe

                                                                                Download File
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:modified
                                                                                Size (bytes):47584
                                                                                Entropy (8bit):6.391877602293662
                                                                                Encrypted:false
                                                                                SSDEEP:768:DeSZaMT79n3DwU8ZCM2o1QG/n29WERqqJaqW/P8+4W:DeoaElzEZ2fG/nmkK4s+4W
                                                                                MD5:94C8E57A80DFCA2482DEDB87B93D4FD9
                                                                                SHA1:5729E6C7D2F5AB760F0093B9D44F8AC0F876A803
                                                                                SHA-256:39E87F0EDCDD15582CFEFDFAB1975AADD2C7CA1E3A5F07B1146CE3206F401BB5
                                                                                SHA-512:1798A3607B2B94732B52DE51D2748C86F9453343B6D8A417E98E65DDB38E9198CDCB2F45BF60823CB429B312466B28C5103C7588F2C4EF69FA27BFDB4F4C67DC
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Joe Sandbox View:
                                                                                • Filename: SecuriteInfo.com.Win32.Malware-gen.27656.20815.exe, Detection: malicious, Browse
                                                                                • Filename: LisectAVT_2403002B_109.exe, Detection: malicious, Browse
                                                                                • Filename: LisectAVT_2403002B_486.exe, Detection: malicious, Browse
                                                                                • Filename: CSXER09OOPMND--3098376TDGH.exe, Detection: malicious, Browse
                                                                                • Filename: PI and payment confirmed pdf.exe, Detection: malicious, Browse
                                                                                • Filename: 3SBlY301oa.exe, Detection: malicious, Browse
                                                                                • Filename: z9order.exe, Detection: malicious, Browse
                                                                                • Filename: Halkbank_Ekstre_20240626_0805893_4585894.xlxs.exe, Detection: malicious, Browse
                                                                                • Filename: hesaphareketi-01.pdf.exe, Detection: malicious, Browse
                                                                                • Filename: kSf9sIgyxl.exe, Detection: malicious, Browse
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.]..............0..n..........b.... ........@.. ..............................h.....`.....................................O....................x...A.......................................................... ............... ..H............text...hm... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B................D.......H........D...8..........h}..p...........................................0...........(......}......}......}..... L...}......}......}......}.....s....}.....s....}.......s....}.......s....}.....s....}....r...p(......,...}....*.r...p}....*.0..........s......r...po.....r...po......(....o....s.....r...p..(...........( ...(!...o"...r!..po#...o$...t.......o.......#..rA..p..o%...(....(....(&...........*..........Tp.# .....(....*.0............}......}......}......}......}......}.....s

                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                Category:dropped
                                                                                Size (bytes):1835008
                                                                                Entropy (8bit):4.421678588395099
                                                                                Encrypted:false
                                                                                SSDEEP:6144:wSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNc0uhiTw:bvloTMW+EZMM6DFy203w
                                                                                MD5:563928E38B4ECA2F16051D1E886805A7
                                                                                SHA1:04DCB1935A7E1E7105DB0ABC0438141CDB41B7EF
                                                                                SHA-256:997B24299DC104775434DB2BBECB373765343A255CCAA8F9B26D7564514FD9AA
                                                                                SHA-512:91F15AC0D7118EDBA5B25186A2D514E65C9E89589E5206AA8590E6626F63E29389D36BEEF92B5DE00E92495B802FE79F648E1278AA15A55CCCB1DE845467895F
                                                                                Malicious:false
                                                                                Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..{=.K................................................................................................................................................................................................................................................................................................................................................l.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                \Device\ConDrv

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):31
                                                                                Entropy (8bit):3.6034123432601906
                                                                                Encrypted:false
                                                                                SSDEEP:3:iLpVO38a33Pov:idm8836
                                                                                MD5:15A7C996F2983DBDB82E0968752EE52F
                                                                                SHA1:01F65B2274421164647D814ED141A523B4BE974A
                                                                                SHA-256:DD36366E8979CFE91E3180FB5809F71BA3984CC44BA0EF94A74EB4946C177A71
                                                                                SHA-512:E1DAE56F1653A5FCACEAC30B327EE8014E2E84232176A06A618888FF8C38C6BB348E80842269DEB773E0AD1F3806A0AAB660F68098083F5B582C7BD3B6337D4D
                                                                                Malicious:false
                                                                                Preview:***INTERNAL COMPILER ERROR***..

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):7.996954316248964
                                                                                TrID:
                                                                                • Win64 Executable Console Net Framework (206006/5) 48.58%
                                                                                • Win64 Executable Console (202006/5) 47.64%
                                                                                • Win64 Executable (generic) (12005/4) 2.83%
                                                                                • Generic Win/DOS Executable (2004/3) 0.47%
                                                                                • DOS Executable Generic (2002/1) 0.47%
                                                                                File name:SPECIFICATIONS.exe
                                                                                File size:607'232 bytes
                                                                                MD5:f55f417cb656aeddb7e17504bbf28102
                                                                                SHA1:844a465a09bfe6ea4d75f6dfad9f318538ae1891
                                                                                SHA256:f9f3ab7e1e35b79ad0451c58423219c56e9222c60c54ef78e608de0796ca5347
                                                                                SHA512:eca7c26d31a7c6185b428ddc998340fdcfb5512b26d6b2cff2c27807c09eb457595f97903c4aa88bd4597c532c7583c57a80780bb3cbbe6a1c53395650405d24
                                                                                SSDEEP:12288:c0Yw1aUwjfFJY26YnQg4YDfoBp6SZHh52EFXIPMdjSCZ9t:PYWaUw5a26YnQgBov2EWkHjt
                                                                                TLSH:48D4235E22C962BBCA2F80F559B819E5426FB493EF37176D67341390980A0379FE24F1
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...R.Pg.........."...0.d....&........... ....@...... ....................................`................................

                                                                                File Icon

                                                                                Icon Hash:00928e8e8686b000

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x400000
                                                                                Entrypoint Section:
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows cui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x67508452 [Wed Dec 4 16:33:22 2024 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                dec ebp
                                                                                pop edx
                                                                                nop
                                                                                add byte ptr [ebx], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax+eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x92568.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x1a640x1c00b02ca6e0d650e3c78c6cde180ca192bcFalse0.6061662946428571data5.808406449887315IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x40000x925680x926002b0cd18deb61d495441b2977220fc020False0.9991910626601196data7.999540942974163IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                M4LWARE0x41100x92018data1.0003193766303258
                                                                                RT_VERSION0x961280x254data0.45805369127516776
                                                                                RT_MANIFEST0x9637c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                Network Behavior

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 10, 2024 16:29:02.689627886 CET49704443192.168.2.5104.26.13.205
                                                                                Dec 10, 2024 16:29:02.689678907 CET44349704104.26.13.205192.168.2.5
                                                                                Dec 10, 2024 16:29:02.689770937 CET49704443192.168.2.5104.26.13.205
                                                                                Dec 10, 2024 16:29:02.696736097 CET49704443192.168.2.5104.26.13.205
                                                                                Dec 10, 2024 16:29:02.696753025 CET44349704104.26.13.205192.168.2.5
                                                                                Dec 10, 2024 16:29:03.941157103 CET44349704104.26.13.205192.168.2.5
                                                                                Dec 10, 2024 16:29:03.941440105 CET49704443192.168.2.5104.26.13.205
                                                                                Dec 10, 2024 16:29:03.945966959 CET49704443192.168.2.5104.26.13.205
                                                                                Dec 10, 2024 16:29:03.945988894 CET44349704104.26.13.205192.168.2.5
                                                                                Dec 10, 2024 16:29:03.946326017 CET44349704104.26.13.205192.168.2.5
                                                                                Dec 10, 2024 16:29:03.991934061 CET49704443192.168.2.5104.26.13.205
                                                                                Dec 10, 2024 16:29:03.996279955 CET49704443192.168.2.5104.26.13.205
                                                                                Dec 10, 2024 16:29:04.043334007 CET44349704104.26.13.205192.168.2.5
                                                                                Dec 10, 2024 16:29:04.390172005 CET44349704104.26.13.205192.168.2.5
                                                                                Dec 10, 2024 16:29:04.390242100 CET44349704104.26.13.205192.168.2.5
                                                                                Dec 10, 2024 16:29:04.390517950 CET49704443192.168.2.5104.26.13.205
                                                                                Dec 10, 2024 16:29:04.408814907 CET49704443192.168.2.5104.26.13.205
                                                                                Dec 10, 2024 16:29:06.639903069 CET4970721192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:06.759567022 CET2149707192.254.225.136192.168.2.5
                                                                                Dec 10, 2024 16:29:06.761780024 CET4970721192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:06.765769005 CET4970721192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:06.797799110 CET4970821192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:06.889244080 CET2149707192.254.225.136192.168.2.5
                                                                                Dec 10, 2024 16:29:06.889317036 CET4970721192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:06.917956114 CET2149708192.254.225.136192.168.2.5
                                                                                Dec 10, 2024 16:29:06.918042898 CET4970821192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:06.924050093 CET4970821192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:06.925409079 CET4970921192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:07.043761969 CET2149708192.254.225.136192.168.2.5
                                                                                Dec 10, 2024 16:29:07.044382095 CET4970821192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:07.045245886 CET2149709192.254.225.136192.168.2.5
                                                                                Dec 10, 2024 16:29:07.045320988 CET4970921192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:07.045492887 CET4970921192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:07.046595097 CET4971021192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:07.165342093 CET2149709192.254.225.136192.168.2.5
                                                                                Dec 10, 2024 16:29:07.166529894 CET2149710192.254.225.136192.168.2.5
                                                                                Dec 10, 2024 16:29:07.166598082 CET4970921192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:07.166629076 CET4971021192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:07.166886091 CET4971021192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:29:07.286596060 CET2149710192.254.225.136192.168.2.5
                                                                                Dec 10, 2024 16:29:07.286668062 CET4971021192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:30:36.474371910 CET4989721192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:30:36.593935013 CET2149897192.254.225.136192.168.2.5
                                                                                Dec 10, 2024 16:30:36.594904900 CET4989721192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:30:36.598743916 CET4989721192.168.2.5192.254.225.136
                                                                                Dec 10, 2024 16:30:36.718250036 CET2149897192.254.225.136192.168.2.5
                                                                                Dec 10, 2024 16:30:36.718871117 CET4989721192.168.2.5192.254.225.136

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 10, 2024 16:29:02.544996023 CET6398053192.168.2.51.1.1.1
                                                                                Dec 10, 2024 16:29:02.682189941 CET53639801.1.1.1192.168.2.5
                                                                                Dec 10, 2024 16:29:05.740401030 CET5689153192.168.2.51.1.1.1
                                                                                Dec 10, 2024 16:29:06.636199951 CET53568911.1.1.1192.168.2.5

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Dec 10, 2024 16:29:02.544996023 CET192.168.2.51.1.1.10x6623Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                Dec 10, 2024 16:29:05.740401030 CET192.168.2.51.1.1.10xace0Standard query (0)ftp.ercolina-usa.comA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Dec 10, 2024 16:29:02.682189941 CET1.1.1.1192.168.2.50x6623No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                Dec 10, 2024 16:29:02.682189941 CET1.1.1.1192.168.2.50x6623No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                Dec 10, 2024 16:29:02.682189941 CET1.1.1.1192.168.2.50x6623No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                Dec 10, 2024 16:29:06.636199951 CET1.1.1.1192.168.2.50xace0No error (0)ftp.ercolina-usa.comercolina-usa.comCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 10, 2024 16:29:06.636199951 CET1.1.1.1192.168.2.50xace0No error (0)ercolina-usa.com192.254.225.136A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • api.ipify.org

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.549704104.26.13.205443528C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-12-10 15:29:03 UTC155OUTGET / HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                Host: api.ipify.org
                                                                                Connection: Keep-Alive
                                                                                2024-12-10 15:29:04 UTC424INHTTP/1.1 200 OK
                                                                                Date: Tue, 10 Dec 2024 15:29:04 GMT
                                                                                Content-Type: text/plain
                                                                                Content-Length: 12
                                                                                Connection: close
                                                                                Vary: Origin
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Server: cloudflare
                                                                                CF-RAY: 8efe44b15db5de98-EWR
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1960&min_rtt=1950&rtt_var=751&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1438423&cwnd=208&unsent_bytes=0&cid=96ba7dc152bfa4a0&ts=460&x=0"
                                                                                2024-12-10 15:29:04 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35
                                                                                Data Ascii: 8.46.123.175


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:10:28:59
                                                                                Start date:10/12/2024
                                                                                Path:C:\Users\user\Desktop\SPECIFICATIONS.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\Desktop\SPECIFICATIONS.exe"
                                                                                Imagebase:0x2bda53e0000
                                                                                File size:607'232 bytes
                                                                                MD5 hash:F55F417CB656AEDDB7E17504BBF28102
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2344463767.000002BDA75C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2345233326.000002BDB7261000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2345233326.000002BDB7261000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:1
                                                                                Start time:10:28:59
                                                                                Start date:10/12/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6d64d0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:3
                                                                                Start time:10:29:00
                                                                                Start date:10/12/2024
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                Wow64 process (32bit):
                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                                                                                Imagebase:
                                                                                File size:42'064 bytes
                                                                                MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:4
                                                                                Start time:10:29:00
                                                                                Start date:10/12/2024
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                Wow64 process (32bit):
                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                Imagebase:
                                                                                File size:108'664 bytes
                                                                                MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:5
                                                                                Start time:10:29:00
                                                                                Start date:10/12/2024
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                                                                                Imagebase:0xb60000
                                                                                File size:47'584 bytes
                                                                                MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4502632182.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4501166919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4501166919.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4502632182.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4502632182.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:moderate
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:6
                                                                                Start time:10:29:01
                                                                                Start date:10/12/2024
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                                                                                Imagebase:0x570000
                                                                                File size:47'584 bytes
                                                                                MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:9
                                                                                Start time:10:29:01
                                                                                Start date:10/12/2024
                                                                                Path:C:\Windows\System32\WerFault.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\WerFault.exe -u -p 6484 -s 1216
                                                                                Imagebase:0x7ff67d3f0000
                                                                                File size:570'736 bytes
                                                                                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:11
                                                                                Start time:10:29:12
                                                                                Start date:10/12/2024
                                                                                Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                                                                                Imagebase:0x880000
                                                                                File size:47'584 bytes
                                                                                MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Antivirus matches:
                                                                                • Detection: 0%, ReversingLabs
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:12
                                                                                Start time:10:29:12
                                                                                Start date:10/12/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6d64d0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:14
                                                                                Start time:10:29:21
                                                                                Start date:10/12/2024
                                                                                Path:C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\newapp\newapp.exe"
                                                                                Imagebase:0x5c0000
                                                                                File size:47'584 bytes
                                                                                MD5 hash:94C8E57A80DFCA2482DEDB87B93D4FD9
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:15
                                                                                Start time:10:29:21
                                                                                Start date:10/12/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff6d64d0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:12.2%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:9
                                                                                  Total number of Limit Nodes:0
                                                                                  execution_graph 12691 7ff848f1051a 12692 7ff848f11a70 VirtualProtect 12691->12692 12694 7ff848f11b12 12692->12694 12695 7ff848f104da 12696 7ff848f10cb0 FreeConsole 12695->12696 12698 7ff848f10d2e 12696->12698 12683 7ff848f11a22 12684 7ff848f11a31 VirtualProtect 12683->12684 12686 7ff848f11b12 12684->12686

                                                                                  Executed Functions

                                                                                  Function 00007FF848F1D44D Relevance: 2.8, Strings: 1, Instructions: 1566COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 7ff848f1d44d-7ff848f1d4ae 5 7ff848f1d51f-7ff848f1d535 call 7ff848f19990 0->5 6 7ff848f1d4b0-7ff848f1d4b5 0->6 17 7ff848f1d54f-7ff848f1d55a 5->17 18 7ff848f1d537-7ff848f1d54a 5->18 7 7ff848f1d4b7-7ff848f1d4d1 call 7ff848f15c30 6->7 8 7ff848f1d536-7ff848f1d54a 6->8 12 7ff848f1d5e8-7ff848f1d5ea 8->12 15 7ff848f1d65b-7ff848f1d660 12->15 16 7ff848f1d5ec-7ff848f1d5f1 12->16 20 7ff848f1d672 15->20 19 7ff848f1d5f3-7ff848f1d60f 16->19 16->20 23 7ff848f1d55c-7ff848f1d56f 17->23 24 7ff848f1d571-7ff848f1d57c 17->24 18->12 21 7ff848f1d678-7ff848f1d6c6 call 7ff848f19990 * 2 call 7ff848f15890 20->21 22 7ff848f1d674-7ff848f1d675 20->22 36 7ff848f1d849-7ff848f1d8a3 21->36 37 7ff848f1d6cc-7ff848f1d6ea 21->37 22->21 23->12 26 7ff848f1d57e-7ff848f1d590 24->26 27 7ff848f1d592-7ff848f1d5a0 24->27 26->12 27->12 50 7ff848f1d8a9-7ff848f1d904 call 7ff848f19990 * 2 call 7ff848f15890 36->50 51 7ff848f1d9d6-7ff848f1da33 36->51 37->36 38 7ff848f1d6f0-7ff848f1d70f 37->38 42 7ff848f1d711-7ff848f1d730 38->42 43 7ff848f1d790-7ff848f1d79a 38->43 47 7ff848f1d7a1-7ff848f1d7b6 42->47 48 7ff848f1d732-7ff848f1d737 42->48 44 7ff848f1d79c-7ff848f1d79f 43->44 45 7ff848f1d7ce-7ff848f1d81f call 7ff848f1a360 43->45 44->45 45->36 59 7ff848f1d821-7ff848f1d848 45->59 53 7ff848f1d7b8-7ff848f1d7c9 47->53 52 7ff848f1d739-7ff848f1d788 call 7ff848f15c30 48->52 48->53 50->51 75 7ff848f1d90a-7ff848f1d960 50->75 62 7ff848f1da39-7ff848f1da8e call 7ff848f19990 * 2 call 7ff848f15890 51->62 63 7ff848f1daee-7ff848f1daf9 51->63 52->47 65 7ff848f1d78a-7ff848f1d78f 52->65 53->45 57 7ff848f1d7cb-7ff848f1d7cc 53->57 57->45 62->63 89 7ff848f1da90-7ff848f1dab4 62->89 72 7ff848f1dafb-7ff848f1dafd 63->72 73 7ff848f1dafe-7ff848f1db1a 63->73 65->43 72->73 79 7ff848f1db1c-7ff848f1db47 73->79 80 7ff848f1db64-7ff848f1dba6 call 7ff848f19990 * 2 call 7ff848f15890 73->80 75->51 78 7ff848f1d962-7ff848f1d9ad call 7ff848f1a360 75->78 78->51 91 7ff848f1d9af-7ff848f1d9d5 78->91 83 7ff848f1dcdb-7ff848f1dd0a 79->83 84 7ff848f1db4d-7ff848f1db63 79->84 80->83 106 7ff848f1dbac-7ff848f1dbca 80->106 100 7ff848f1dd0c-7ff848f1dd37 83->100 101 7ff848f1dd54-7ff848f1dd93 call 7ff848f19990 * 2 call 7ff848f15890 83->101 84->80 93 7ff848f1dae2-7ff848f1daed 89->93 94 7ff848f1dab6-7ff848f1dac6 89->94 94->63 97 7ff848f1dac8-7ff848f1dadf 94->97 97->93 103 7ff848f1dd3d-7ff848f1dd53 100->103 104 7ff848f1de97-7ff848f1dec9 100->104 101->104 130 7ff848f1dd99-7ff848f1ddb4 101->130 103->101 126 7ff848f1decb-7ff848f1def6 104->126 127 7ff848f1df13-7ff848f1df3c call 7ff848f19990 104->127 106->83 107 7ff848f1dbd0-7ff848f1dbea 106->107 109 7ff848f1dbec-7ff848f1dbef 107->109 110 7ff848f1dc43-7ff848f1dc47 107->110 113 7ff848f1dbf1-7ff848f1dc0a 109->113 114 7ff848f1dc70-7ff848f1dcaf call 7ff848f1a360 109->114 116 7ff848f1dc49-7ff848f1dc6f call 7ff848f15c30 110->116 117 7ff848f1dcc8-7ff848f1dcda 110->117 119 7ff848f1dc0c-7ff848f1dc21 113->119 120 7ff848f1dc23-7ff848f1dc34 113->120 131 7ff848f1dcb1 114->131 116->114 125 7ff848f1dc38-7ff848f1dc40 119->125 120->125 125->131 132 7ff848f1dc42 125->132 133 7ff848f1defc-7ff848f1df0f 126->133 134 7ff848f1dfc5-7ff848f1dfd7 126->134 151 7ff848f1df3e-7ff848f1df4c 127->151 152 7ff848f1dfa1-7ff848f1dfc4 127->152 138 7ff848f1de0d-7ff848f1de14 130->138 139 7ff848f1ddb6-7ff848f1ddb9 130->139 131->83 137 7ff848f1dcb3-7ff848f1dcc6 131->137 132->110 133->127 149 7ff848f1e019-7ff848f1e027 134->149 150 7ff848f1dfd9-7ff848f1dffa 134->150 137->117 138->104 145 7ff848f1de1a-7ff848f1de37 138->145 142 7ff848f1ddbb-7ff848f1ddd9 139->142 143 7ff848f1de3a-7ff848f1de49 139->143 147 7ff848f1dddb-7ff848f1dde0 142->147 148 7ff848f1de4a-7ff848f1de5e call 7ff848f1a360 142->148 143->148 145->143 153 7ff848f1de61-7ff848f1de6d 147->153 154 7ff848f1dde2-7ff848f1de06 call 7ff848f15c30 147->154 148->153 156 7ff848f1e02d-7ff848f1e041 149->156 157 7ff848f1e183-7ff848f1e199 149->157 162 7ff848f1dffc-7ff848f1e016 150->162 163 7ff848f1e044-7ff848f1e07f call 7ff848f19990 * 2 call 7ff848f1b610 150->163 151->152 152->134 153->104 165 7ff848f1de6f-7ff848f1de96 153->165 154->138 156->163 170 7ff848f1e19b-7ff848f1e1af 157->170 171 7ff848f1e19a 157->171 162->149 184 7ff848f1e099-7ff848f1e0a4 163->184 185 7ff848f1e081-7ff848f1e097 163->185 176 7ff848f1e1b1-7ff848f1e1e9 170->176 171->170 179 7ff848f1e1eb-7ff848f1e1fd call 7ff848f10388 176->179 180 7ff848f1e1ff 176->180 182 7ff848f1e204-7ff848f1e206 179->182 180->182 186 7ff848f1e208-7ff848f1e213 182->186 187 7ff848f1e21a-7ff848f1e291 182->187 193 7ff848f1e0b6 184->193 194 7ff848f1e0a6-7ff848f1e0b4 184->194 185->184 186->187 213 7ff848f1e378-7ff848f1e37f 187->213 214 7ff848f1e297-7ff848f1e30f 187->214 195 7ff848f1e0b8-7ff848f1e0bd 193->195 194->195 197 7ff848f1e0bf-7ff848f1e0de call 7ff848f10810 195->197 198 7ff848f1e0e0-7ff848f1e0f6 195->198 206 7ff848f1e123-7ff848f1e129 197->206 203 7ff848f1e0f8-7ff848f1e103 198->203 204 7ff848f1e10a-7ff848f1e11f call 7ff848f1c000 198->204 203->204 204->206 206->171 208 7ff848f1e12b-7ff848f1e130 206->208 208->176 210 7ff848f1e132-7ff848f1e160 call 7ff848f15c30 call 7ff848f15890 208->210 210->157 225 7ff848f1e162-7ff848f1e182 210->225 215 7ff848f1e39c-7ff848f1e3ac 213->215 216 7ff848f1e381-7ff848f1e38e 213->216 230 7ff848f1e36f-7ff848f1e377 call 7ff848f1e3c4 214->230 231 7ff848f1e311-7ff848f1e317 call 7ff848f17d90 214->231 224 7ff848f1e3b2-7ff848f1e3c2 215->224 216->215 222 7ff848f1e390-7ff848f1e39a 216->222 222->215 230->213 235 7ff848f1e31c-7ff848f1e36e 231->235 235->230
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: _
                                                                                  • API String ID: 0-701932520
                                                                                  • Opcode ID: 98e3fd5b1d9f751528c3cf85006c1b1a2038e30c491e2f2ace6fbfccc8102654
                                                                                  • Instruction ID: eb58c82a1e8fdc87edb3ac2903ab35637e4b83413875a1a8173adcbb944f2543
                                                                                  • Opcode Fuzzy Hash: 98e3fd5b1d9f751528c3cf85006c1b1a2038e30c491e2f2ace6fbfccc8102654
                                                                                  • Instruction Fuzzy Hash: 41B21030A1CB4A4FD359EB2884914B5B7E2FF95341F1446BEE48AC7296DF38E846C781
                                                                                  Function 00007FF848FF0000 Relevance: 2.3, Instructions: 2275COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348487144.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848ff0000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3253ec4c799dbdf8e30ba61c31ca6be205cbda4c701f10a6e19468831fda2f86
                                                                                  • Instruction ID: ee4192df35b84c17356550de99c6c31ace14ae2851535d22cb54af7731c1783a
                                                                                  • Opcode Fuzzy Hash: 3253ec4c799dbdf8e30ba61c31ca6be205cbda4c701f10a6e19468831fda2f86
                                                                                  • Instruction Fuzzy Hash: 09E2297280DAC98FE756FB2888555A4BBE0FF96340F1801FBD689CB1D3DB286846C745
                                                                                  Function 00007FF848F12A2C Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: fish
                                                                                  • API String ID: 0-1064584243
                                                                                  • Opcode ID: dad33532f620180589153d136f04ab2016b76670bbb8032e7f3760bd901f9002
                                                                                  • Instruction ID: f29e8f51705f6199d2c2b3fd8f7c39ab191924235aedf580df865ae98af2c75c
                                                                                  • Opcode Fuzzy Hash: dad33532f620180589153d136f04ab2016b76670bbb8032e7f3760bd901f9002
                                                                                  • Instruction Fuzzy Hash: 6FD12531A1CA4A4FE75DFBB898551B977E1EF96350F0441BED48BC32D2DE28AC028785
                                                                                  Function 00007FF848F22D79 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1248 7ff848f22d79-7ff848f22da8 1250 7ff848f22dae-7ff848f22dfd 1248->1250 1251 7ff848f22ef0-7ff848f22f1d 1248->1251 1252 7ff848f22e02-7ff848f22e24 1250->1252 1257 7ff848f22f1f 1251->1257 1258 7ff848f22f21-7ff848f22f3f 1251->1258 1253 7ff848f22eb9-7ff848f22ebf call 7ff848f16928 1252->1253 1254 7ff848f22e2a-7ff848f22e56 1252->1254 1259 7ff848f22ec4-7ff848f22ecf call 7ff848f16990 1253->1259 1254->1252 1257->1258 1263 7ff848f22fc1-7ff848f22fc8 1258->1263 1264 7ff848f22f45-7ff848f22f63 1258->1264 1265 7ff848f22ed4-7ff848f22eed 1259->1265 1264->1263 1268 7ff848f22f65-7ff848f22f79 1264->1268 1265->1251 1269 7ff848f22f7b 1268->1269 1269->1269
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: gfff
                                                                                  • API String ID: 0-1553575800
                                                                                  • Opcode ID: 0e1a7d5aecad90cbb516de6a9ffd2bc2c080e6f12be7663c1ca3401b3d7aaa73
                                                                                  • Instruction ID: cf02706bfac181e3f8b945416cce0923ce039f67eda37c9039fe9bb51c4cdc5d
                                                                                  • Opcode Fuzzy Hash: 0e1a7d5aecad90cbb516de6a9ffd2bc2c080e6f12be7663c1ca3401b3d7aaa73
                                                                                  • Instruction Fuzzy Hash: 39514931B0D7950FD30E967C5C61061BBE1EB86311B0982BFD485CB2E7DA299C1AC345
                                                                                  Function 00007FF848F1F619 Relevance: 1.3, Instructions: 1295COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1a3dd34ad2851130abaec0e6f9406baae1048b567d98c366363b7ca0d61aa2ac
                                                                                  • Instruction ID: 26de6f5e4348f7b972119d6fa35bcefdcab64f4303c27dd0ae4169e99da77e93
                                                                                  • Opcode Fuzzy Hash: 1a3dd34ad2851130abaec0e6f9406baae1048b567d98c366363b7ca0d61aa2ac
                                                                                  • Instruction Fuzzy Hash: 9E92BF71A1DA4A8FEB98EB28D495AB877E1FF55340F1400B9D44EC72E2DF29AC41CB44
                                                                                  Function 00007FF848F16FB8 Relevance: .9, Instructions: 920COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 13db77648799add7f5ad2e0d81859219f07cc887a2df91333a701bbe1d3a1861
                                                                                  • Instruction ID: 93c72fc37c2e16d221929ad32d70b72813953e92c5f32b99743209b37a8916c2
                                                                                  • Opcode Fuzzy Hash: 13db77648799add7f5ad2e0d81859219f07cc887a2df91333a701bbe1d3a1861
                                                                                  • Instruction Fuzzy Hash: E1529630A1CA098FDB68EB28D455A7977E1FF55341F5401BDE48EC72D2DF24AC428B85
                                                                                  Function 00007FF848F1A4D0 Relevance: .4, Instructions: 427COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 214b022484cb137503541da58709cd65f8218c6f787fc618ce9f82085256555a
                                                                                  • Instruction ID: 7c5d3500d2bc931a5d20955049df0270684c5e770a1dfc5be2a0f97c8d855206
                                                                                  • Opcode Fuzzy Hash: 214b022484cb137503541da58709cd65f8218c6f787fc618ce9f82085256555a
                                                                                  • Instruction Fuzzy Hash: B5D1563191CB864FE31DDB2894951B1B7E2FF95311F1446BED4CAC32E5DB28A886C781
                                                                                  Function 00007FF848F23442 Relevance: .2, Instructions: 176COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c4e71a71b2923f211e7c02067a6d7e60dd751db3f685f67ffa16247ce5604854
                                                                                  • Instruction ID: ac75afd7205dcff58ab21f9d3ce17494fd17481ecb854a2cb71a9e31071cdc70
                                                                                  • Opcode Fuzzy Hash: c4e71a71b2923f211e7c02067a6d7e60dd751db3f685f67ffa16247ce5604854
                                                                                  • Instruction Fuzzy Hash: 25415B3150D78A0FD71E9A3898261B57BA5EB83320B1582BFD087CB1E7DD196C4783D6
                                                                                  Function 00007FF848F2348F Relevance: .2, Instructions: 164COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 468b2bfd362fade68c0c7bf767ce34d7b0b555dc84403cf87547ae3d4b3b0ac6
                                                                                  • Instruction ID: bed1ba59c79744be906b48a4636c7a06d435dbe874ae160d17283709a122762d
                                                                                  • Opcode Fuzzy Hash: 468b2bfd362fade68c0c7bf767ce34d7b0b555dc84403cf87547ae3d4b3b0ac6
                                                                                  • Instruction Fuzzy Hash: A7412831A0D78A0FD71E9B7888251757FA5EB93310B1582BFD086CB1E7DD28AC0687D2
                                                                                  Function 00007FF848F11A22 Relevance: 1.6, APIs: 1, Instructions: 144memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1110 7ff848f11a22-7ff848f11a2f 1111 7ff848f11a3a-7ff848f11a4b 1110->1111 1112 7ff848f11a31-7ff848f11a39 1110->1112 1113 7ff848f11a4d-7ff848f11a55 1111->1113 1114 7ff848f11a56-7ff848f11b10 VirtualProtect 1111->1114 1112->1111 1113->1114 1118 7ff848f11b18-7ff848f11b40 1114->1118 1119 7ff848f11b12 1114->1119 1119->1118
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 544645111-0
                                                                                  • Opcode ID: 77a75dd531220a48dc08e64ef0e4d484c77ceaef004eaa2dc98e014fe51ddca4
                                                                                  • Instruction ID: f7ade116b405b394e51b0472c28b24615a58fb99153bcb2787d6a9e682bcb82e
                                                                                  • Opcode Fuzzy Hash: 77a75dd531220a48dc08e64ef0e4d484c77ceaef004eaa2dc98e014fe51ddca4
                                                                                  • Instruction Fuzzy Hash: E741F63090CB888FDB19DBA898466F97FE1EF56321F0442AFD049D3293CF64A856C795
                                                                                  Function 00007FF848F18025 Relevance: 1.6, APIs: 1, Instructions: 125memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1132 7ff848f18025-7ff848f26bff VirtualProtect 1137 7ff848f26c01 1132->1137 1138 7ff848f26c07-7ff848f26c2f 1132->1138 1137->1138
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 544645111-0
                                                                                  • Opcode ID: 29ff5bea6dd3d25d57dc4543cd92e7f22af0bacf8f0380bcc39b6b241d434c76
                                                                                  • Instruction ID: c9af608ddf07eccaf69a10cb0fc5b92a98ebcae35003b4294211bb5a8387f78b
                                                                                  • Opcode Fuzzy Hash: 29ff5bea6dd3d25d57dc4543cd92e7f22af0bacf8f0380bcc39b6b241d434c76
                                                                                  • Instruction Fuzzy Hash: 40310531A0CA5C4FDB18EB5DD8496F97BE1FB95721F00023FD04AC3292CB246846C795
                                                                                  Function 00007FF848F10C61 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1120 7ff848f10c61-7ff848f10c6d 1121 7ff848f10c6f 1120->1121 1122 7ff848f10c70-7ff848f10c81 1120->1122 1121->1122 1123 7ff848f10c83 1122->1123 1124 7ff848f10c84-7ff848f10c95 1122->1124 1123->1124 1125 7ff848f10c98-7ff848f10d2c FreeConsole 1124->1125 1126 7ff848f10c97 1124->1126 1130 7ff848f10d2e 1125->1130 1131 7ff848f10d34-7ff848f10d5b 1125->1131 1126->1125 1130->1131
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID: ConsoleFree
                                                                                  • String ID:
                                                                                  • API String ID: 771614528-0
                                                                                  • Opcode ID: 23cf7d88da68bb02cd81f0e375850415be1bb854cac2b600901b05d549d693d0
                                                                                  • Instruction ID: 379461a5e008985814de30db3725fb5355a1227c2341786de0c6e9afff037a1b
                                                                                  • Opcode Fuzzy Hash: 23cf7d88da68bb02cd81f0e375850415be1bb854cac2b600901b05d549d693d0
                                                                                  • Instruction Fuzzy Hash: EE31147040D7889FDB16EB688855AFA7FF4EF52321F0441AFE089C3192DB24684ACB52
                                                                                  Function 00007FF848F1051A Relevance: 1.6, APIs: 1, Instructions: 112memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1139 7ff848f1051a-7ff848f11b10 VirtualProtect 1143 7ff848f11b18-7ff848f11b40 1139->1143 1144 7ff848f11b12 1139->1144 1144->1143
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 544645111-0
                                                                                  • Opcode ID: b73abc2d3fe9eaf79d5a7a5bcb98c739e38cadd1b5348c9ce6fbe1e76637e919
                                                                                  • Instruction ID: 0bb943bddb2e937dd1ff44e9fbcfdb51b143af8eed8ae19b2ff02f9fd7c3d6be
                                                                                  • Opcode Fuzzy Hash: b73abc2d3fe9eaf79d5a7a5bcb98c739e38cadd1b5348c9ce6fbe1e76637e919
                                                                                  • Instruction Fuzzy Hash: FA31D630A0CA0C8FDB18DF5CD8496F977E1FB99311F00422FD04AD3292CB70A8468B95
                                                                                  Function 00007FF848F104DA Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1145 7ff848f104da-7ff848f10cf2 1148 7ff848f10cfa-7ff848f10d2c FreeConsole 1145->1148 1149 7ff848f10d2e 1148->1149 1150 7ff848f10d34-7ff848f10d5b 1148->1150 1149->1150
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID: ConsoleFree
                                                                                  • String ID:
                                                                                  • API String ID: 771614528-0
                                                                                  • Opcode ID: dd2e4413080814936e3e803a519a188bf654c03e66cd719b50677f71b81c24b1
                                                                                  • Instruction ID: 3e7a55df0e9cdd44390ecb9c668c6a420bd910339d329720ac3a57ce71144490
                                                                                  • Opcode Fuzzy Hash: dd2e4413080814936e3e803a519a188bf654c03e66cd719b50677f71b81c24b1
                                                                                  • Instruction Fuzzy Hash: 9821717090CA1C9FDB28EF59D849BFAB7E0EB55321F00422ED04AD3552DB74A845CB55
                                                                                  Function 00007FF848F104EA Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1151 7ff848f104ea-7ff848f10cf2 1154 7ff848f10cfa-7ff848f10d2c FreeConsole 1151->1154 1155 7ff848f10d2e 1154->1155 1156 7ff848f10d34-7ff848f10d5b 1154->1156 1155->1156
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348151131.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848f10000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID: ConsoleFree
                                                                                  • String ID:
                                                                                  • API String ID: 771614528-0
                                                                                  • Opcode ID: dd2e4413080814936e3e803a519a188bf654c03e66cd719b50677f71b81c24b1
                                                                                  • Instruction ID: 3e7a55df0e9cdd44390ecb9c668c6a420bd910339d329720ac3a57ce71144490
                                                                                  • Opcode Fuzzy Hash: dd2e4413080814936e3e803a519a188bf654c03e66cd719b50677f71b81c24b1
                                                                                  • Instruction Fuzzy Hash: 9821717090CA1C9FDB28EF59D849BFAB7E0EB55321F00422ED04AD3552DB74A845CB55
                                                                                  Function 00007FF848FF10C9 Relevance: .3, Instructions: 265COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2348487144.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ff848ff0000_SPECIFICATIONS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9fdb91678f55757374c05df3011b97b26b15b7ba7bc6dc85bacad87df70d1553
                                                                                  • Instruction ID: fb3efda7c4005a778405afc7c614c154873bb1dda6d5f73f2179d396aa209ecb
                                                                                  • Opcode Fuzzy Hash: 9fdb91678f55757374c05df3011b97b26b15b7ba7bc6dc85bacad87df70d1553
                                                                                  • Instruction Fuzzy Hash: 4171463190CA894FEB57EB2898595B57BE1EF56340F0901FBD04AC72D3EF29A885C385

                                                                                  Execution Graph

                                                                                  Execution Coverage:12.8%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:203
                                                                                  Total number of Limit Nodes:21
                                                                                  execution_graph 37315 6a0a0e0 37316 6a0a0e1 GetCurrentProcess 37315->37316 37318 6a0a171 37316->37318 37319 6a0a178 GetCurrentThread 37316->37319 37318->37319 37320 6a0a1b5 GetCurrentProcess 37319->37320 37321 6a0a1ae 37319->37321 37322 6a0a1eb 37320->37322 37321->37320 37323 6a0a213 GetCurrentThreadId 37322->37323 37324 6a0a244 37323->37324 37334 6a0dcd0 37336 6a0dd14 SetWindowsHookExA 37334->37336 37337 6a0dd5a 37336->37337 37338 2d90848 37340 2d9084e 37338->37340 37339 2d9091b 37340->37339 37342 2d91340 37340->37342 37344 2d91356 37342->37344 37343 2d91454 37343->37340 37344->37343 37348 2d98219 37344->37348 37353 6a03a91 37344->37353 37359 6a03aa0 37344->37359 37349 2d98223 37348->37349 37350 2d982d9 37349->37350 37365 6a1fa48 37349->37365 37369 6a1fa58 37349->37369 37350->37344 37354 6a03a99 37353->37354 37357 6a03b63 37354->37357 37373 6a0368c 37354->37373 37356 6a03b29 37378 6a036ac 37356->37378 37357->37344 37360 6a03ab2 37359->37360 37361 6a0368c GetModuleHandleW 37360->37361 37363 6a03b63 37360->37363 37362 6a03b29 37361->37362 37364 6a036ac KiUserCallbackDispatcher 37362->37364 37363->37344 37364->37363 37367 6a1fa51 37365->37367 37366 6a1fc82 37366->37350 37367->37366 37368 6a1fc98 GlobalMemoryStatusEx GlobalMemoryStatusEx 37367->37368 37368->37367 37371 6a1fa6d 37369->37371 37370 6a1fc82 37370->37350 37371->37370 37372 6a1fc98 GlobalMemoryStatusEx GlobalMemoryStatusEx 37371->37372 37372->37371 37374 6a03697 37373->37374 37382 6a04c60 37374->37382 37388 6a04c4b 37374->37388 37375 6a03d02 37375->37356 37379 6a036b7 37378->37379 37381 6a0b8e3 37379->37381 37423 6a0af64 37379->37423 37381->37357 37383 6a04c8b 37382->37383 37394 6a051d1 37383->37394 37384 6a04d0e 37385 6a04648 GetModuleHandleW 37384->37385 37386 6a04d3a 37384->37386 37385->37386 37389 6a04c60 37388->37389 37393 6a051d1 GetModuleHandleW 37389->37393 37390 6a04d0e 37391 6a04648 GetModuleHandleW 37390->37391 37392 6a04d3a 37390->37392 37391->37392 37393->37390 37395 6a0520d 37394->37395 37396 6a0528e 37395->37396 37399 6a05340 37395->37399 37409 6a05350 37395->37409 37400 6a05350 37399->37400 37402 6a05389 37400->37402 37419 6a04648 37400->37419 37403 6a04648 GetModuleHandleW 37402->37403 37404 6a05554 37402->37404 37405 6a054da 37403->37405 37404->37396 37405->37404 37406 6a04648 GetModuleHandleW 37405->37406 37407 6a05528 37406->37407 37407->37404 37408 6a04648 GetModuleHandleW 37407->37408 37408->37404 37410 6a05365 37409->37410 37411 6a04648 GetModuleHandleW 37410->37411 37412 6a05389 37410->37412 37411->37412 37413 6a04648 GetModuleHandleW 37412->37413 37418 6a05554 37412->37418 37414 6a054da 37413->37414 37415 6a04648 GetModuleHandleW 37414->37415 37414->37418 37416 6a05528 37415->37416 37417 6a04648 GetModuleHandleW 37416->37417 37416->37418 37417->37418 37418->37396 37420 6a05690 GetModuleHandleW 37419->37420 37422 6a05705 37420->37422 37422->37402 37424 6a0b8f8 KiUserCallbackDispatcher 37423->37424 37426 6a0b966 37424->37426 37426->37379 37427 144d030 37428 144d048 37427->37428 37429 144d0a2 37428->37429 37436 6a068f0 37428->37436 37442 6a0477c 37428->37442 37450 6a0476c 37428->37450 37454 6a068ea 37428->37454 37460 6a06a12 37428->37460 37467 6a0b300 37428->37467 37437 6a06916 37436->37437 37438 6a0476c GetModuleHandleW 37437->37438 37439 6a06922 37438->37439 37440 6a0477c 2 API calls 37439->37440 37441 6a06937 37440->37441 37441->37429 37443 6a04787 37442->37443 37444 6a0b391 37443->37444 37446 6a0b381 37443->37446 37487 6a0a0b4 37444->37487 37475 6a0b4a8 37446->37475 37481 6a0b4b8 37446->37481 37447 6a0b38f 37451 6a04777 37450->37451 37548 6a047a4 37451->37548 37453 6a06a27 37453->37429 37455 6a068f0 37454->37455 37456 6a0476c GetModuleHandleW 37455->37456 37457 6a06922 37456->37457 37458 6a0477c 2 API calls 37457->37458 37459 6a06937 37458->37459 37459->37429 37461 6a06a1e 37460->37461 37464 6a06a2a 37460->37464 37462 6a047a4 GetModuleHandleW 37461->37462 37463 6a06a27 37462->37463 37463->37429 37465 6a04648 GetModuleHandleW 37464->37465 37466 6a06af7 37464->37466 37465->37466 37468 6a0b305 37467->37468 37469 6a0b391 37468->37469 37471 6a0b381 37468->37471 37470 6a0a0b4 2 API calls 37469->37470 37472 6a0b38f 37470->37472 37473 6a0b4a8 2 API calls 37471->37473 37474 6a0b4b8 2 API calls 37471->37474 37473->37472 37474->37472 37477 6a0b4b8 37475->37477 37476 6a0a0b4 2 API calls 37476->37477 37477->37476 37478 6a0b5a2 37477->37478 37494 6a0b988 37477->37494 37498 6a0b998 37477->37498 37478->37447 37482 6a0b4c6 37481->37482 37483 6a0a0b4 2 API calls 37482->37483 37484 6a0b5a2 37482->37484 37485 6a0b988 OleInitialize 37482->37485 37486 6a0b998 OleInitialize 37482->37486 37483->37482 37484->37447 37485->37482 37486->37482 37488 6a0a0bf 37487->37488 37489 6a0b6a4 37488->37489 37490 6a0b5fa 37488->37490 37492 6a0477c OleInitialize 37489->37492 37491 6a0b652 CallWindowProcW 37490->37491 37493 6a0b601 37490->37493 37491->37493 37492->37493 37493->37447 37495 6a0b98e 37494->37495 37496 6a0b97e 37495->37496 37502 6a0bb40 37495->37502 37496->37477 37499 6a0b9b7 37498->37499 37500 6a0ba8f 37499->37500 37501 6a0bb40 OleInitialize 37499->37501 37500->37477 37501->37499 37504 6a0bb45 37502->37504 37503 6a0bb6c 37503->37495 37504->37503 37508 6a0bb98 37504->37508 37522 6a0bb89 37504->37522 37505 6a0bb81 37505->37495 37509 6a0bbaa 37508->37509 37510 6a0bbc5 37509->37510 37512 6a0bc09 37509->37512 37517 6a0bb98 OleInitialize 37510->37517 37518 6a0bb89 OleInitialize 37510->37518 37511 6a0bbcb 37511->37505 37519 6a0bb98 OleInitialize 37512->37519 37521 6a0bb89 OleInitialize 37512->37521 37536 6a0bd39 37512->37536 37513 6a0bc93 37513->37505 37514 6a0bc85 37514->37513 37540 6a0b18c 37514->37540 37517->37511 37518->37511 37519->37514 37521->37514 37523 6a0bb92 37522->37523 37524 6a0bbc5 37523->37524 37526 6a0bc09 37523->37526 37534 6a0bb98 OleInitialize 37524->37534 37535 6a0bb89 OleInitialize 37524->37535 37525 6a0bbcb 37525->37505 37531 6a0bb98 OleInitialize 37526->37531 37532 6a0bd39 OleInitialize 37526->37532 37533 6a0bb89 OleInitialize 37526->37533 37527 6a0bc85 37528 6a0b18c OleInitialize 37527->37528 37530 6a0bc93 37527->37530 37529 6a0bd59 37528->37529 37529->37505 37530->37505 37531->37527 37532->37527 37533->37527 37534->37525 37535->37525 37537 6a0bd50 37536->37537 37538 6a0b18c OleInitialize 37537->37538 37539 6a0bd59 37538->37539 37539->37514 37541 6a0b197 37540->37541 37542 6a0bd59 37541->37542 37544 6a0b19c 37541->37544 37542->37505 37545 6a0bdc0 OleInitialize 37544->37545 37547 6a0be24 37545->37547 37547->37542 37549 6a047af 37548->37549 37550 6a04648 GetModuleHandleW 37549->37550 37551 6a06af7 37549->37551 37550->37551 37325 6a05688 37326 6a05690 GetModuleHandleW 37325->37326 37328 6a05705 37326->37328 37329 6a0a328 DuplicateHandle 37330 6a0a3be 37329->37330 37331 6a0bf08 37332 6a0bf62 OleGetClipboard 37331->37332 37333 6a0bfa2 37332->37333 37552 6a06738 37553 6a067a0 CreateWindowExW 37552->37553 37555 6a0685c 37553->37555 37556 2d98040 37557 2d98086 DeleteFileW 37556->37557 37559 2d980bf 37557->37559

                                                                                  Executed Functions

                                                                                  Function 06A13568 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 125 6a13568-6a13589 126 6a1358b-6a1358e 125->126 127 6a13590-6a135af 126->127 128 6a135b4-6a135b7 126->128 127->128 129 6a13d58-6a13d5a 128->129 130 6a135bd-6a135dc 128->130 131 6a13d61-6a13d64 129->131 132 6a13d5c 129->132 138 6a135f5-6a135ff 130->138 139 6a135de-6a135e1 130->139 131->126 134 6a13d6a-6a13d73 131->134 132->131 143 6a13605-6a13614 138->143 139->138 140 6a135e3-6a135f3 139->140 140->143 254 6a13616 call 6a13d80 143->254 255 6a13616 call 6a13d88 143->255 144 6a1361b-6a13620 145 6a13622-6a13628 144->145 146 6a1362d-6a1390a 144->146 145->134 167 6a13910-6a139bf 146->167 168 6a13d4a-6a13d57 146->168 177 6a139c1-6a139e6 167->177 178 6a139e8 167->178 180 6a139f1-6a13a04 call 6a1238c 177->180 178->180 183 6a13d31-6a13d3d 180->183 184 6a13a0a-6a13a2c call 6a12398 180->184 183->167 186 6a13d43 183->186 184->183 188 6a13a32-6a13a3c 184->188 186->168 188->183 189 6a13a42-6a13a4d 188->189 189->183 190 6a13a53-6a13b29 189->190 202 6a13b37-6a13b67 190->202 203 6a13b2b-6a13b2d 190->203 207 6a13b75-6a13b81 202->207 208 6a13b69-6a13b6b 202->208 203->202 209 6a13be1-6a13be5 207->209 210 6a13b83-6a13b87 207->210 208->207 211 6a13d22-6a13d2b 209->211 212 6a13beb-6a13c27 209->212 210->209 213 6a13b89-6a13bb3 210->213 211->183 211->190 225 6a13c35-6a13c43 212->225 226 6a13c29-6a13c2b 212->226 220 6a13bc1-6a13bde call 6a123a4 213->220 221 6a13bb5-6a13bb7 213->221 220->209 221->220 228 6a13c45-6a13c50 225->228 229 6a13c5a-6a13c65 225->229 226->225 228->229 232 6a13c52 228->232 233 6a13c67-6a13c6d 229->233 234 6a13c7d-6a13c8e 229->234 232->229 235 6a13c71-6a13c73 233->235 236 6a13c6f 233->236 238 6a13c90-6a13c96 234->238 239 6a13ca6-6a13cb2 234->239 235->234 236->234 240 6a13c98 238->240 241 6a13c9a-6a13c9c 238->241 243 6a13cb4-6a13cba 239->243 244 6a13cca-6a13d1b 239->244 240->239 241->239 245 6a13cbc 243->245 246 6a13cbe-6a13cc0 243->246 244->211 245->244 246->244 254->144 255->144
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-3723351465
                                                                                  • Opcode ID: 42ec6fcbde521e689a1508c312a9af4bb693036716c3a4f22b0ca78543f18fc4
                                                                                  • Instruction ID: 73e8b981165f524330b5614a5df37cc4d20e877359b4d0e9a46e6e20b570b930
                                                                                  • Opcode Fuzzy Hash: 42ec6fcbde521e689a1508c312a9af4bb693036716c3a4f22b0ca78543f18fc4
                                                                                  • Instruction Fuzzy Hash: CE323031E1061A8FCB54EF75D89459DF7B6FFC9300F11C6AAD409AB254EB30A985CB90
                                                                                  Function 06A17E60 Relevance: 3.0, Strings: 2, Instructions: 479COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 847 6a17e60-6a17e7e 848 6a17e80-6a17e83 847->848 849 6a17e85-6a17e9f 848->849 850 6a17ea4-6a17ea7 848->850 849->850 851 6a17ea9-6a17ec5 850->851 852 6a17eca-6a17ecd 850->852 851->852 853 6a17eda-6a17edd 852->853 854 6a17ecf-6a17ed9 852->854 856 6a17ef4-6a17ef6 853->856 857 6a17edf-6a17eed 853->857 859 6a17ef8 856->859 860 6a17efd-6a17f00 856->860 864 6a17f06-6a17f1c 857->864 865 6a17eef 857->865 859->860 860->848 860->864 867 6a17f22-6a17f2b 864->867 868 6a18137-6a18141 864->868 865->856 869 6a17f31-6a17f4e 867->869 870 6a18142-6a18150 867->870 878 6a18124-6a18131 869->878 879 6a17f54-6a17f7c 869->879 873 6a18152-6a18177 870->873 874 6a181a7-6a181b4 870->874 876 6a18179-6a1817c 873->876 877 6a181bf-6a181c1 874->877 880 6a1819f-6a181a2 876->880 881 6a1817e-6a1819a 876->881 882 6a181c3-6a181c9 877->882 883 6a181d9-6a181dd 877->883 878->867 878->868 879->878 904 6a17f82-6a17f8b 879->904 880->874 884 6a1824f-6a18252 880->884 881->880 885 6a181cb 882->885 886 6a181cd-6a181cf 882->886 889 6a181eb 883->889 890 6a181df-6a181e9 883->890 887 6a18487-6a18489 884->887 888 6a18258-6a18267 884->888 885->883 886->883 893 6a18490-6a18493 887->893 894 6a1848b 887->894 902 6a18286-6a182ca 888->902 903 6a18269-6a18284 888->903 895 6a181f0-6a181f2 889->895 890->895 893->876 898 6a18499-6a184a2 893->898 894->893 899 6a181f4-6a181f7 895->899 900 6a18209-6a18242 895->900 899->898 900->888 925 6a18244-6a1824e 900->925 909 6a182d0-6a182e1 902->909 910 6a1845b-6a18471 902->910 903->902 904->870 905 6a17f91-6a17fad 904->905 915 6a17fb3-6a17fdd 905->915 916 6a18112-6a1811e 905->916 919 6a182e7-6a18304 909->919 920 6a18446-6a18455 909->920 910->887 930 6a17fe3-6a1800b 915->930 931 6a18108-6a1810d 915->931 916->878 916->904 919->920 932 6a1830a-6a18400 call 6a16688 919->932 920->909 920->910 930->931 938 6a18011-6a1803f 930->938 931->916 981 6a18402-6a1840c 932->981 982 6a1840e 932->982 938->931 944 6a18045-6a1804e 938->944 944->931 945 6a18054-6a18086 944->945 952 6a18091-6a180ad 945->952 953 6a18088-6a1808c 945->953 952->916 956 6a180af-6a18106 call 6a16688 952->956 953->931 955 6a1808e 953->955 955->952 956->916 983 6a18413-6a18415 981->983 982->983 983->920 984 6a18417-6a1841c 983->984 985 6a1842a 984->985 986 6a1841e-6a18428 984->986 987 6a1842f-6a18431 985->987 986->987 987->920 988 6a18433-6a1843f 987->988 988->920
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q
                                                                                  • API String ID: 0-127220927
                                                                                  • Opcode ID: c003de25d5e1fe4a2d51f826a1077040193c45cefdc4a7b3d95a06fe5260dda2
                                                                                  • Instruction ID: ed4bf8b435ca5bf8d1275ef1127fbafcf18d13687dfc8492a2d2f7051bb9dcce
                                                                                  • Opcode Fuzzy Hash: c003de25d5e1fe4a2d51f826a1077040193c45cefdc4a7b3d95a06fe5260dda2
                                                                                  • Instruction Fuzzy Hash: 0A029C30B0021A8FDB54EB64D990AAEB7F6FF84304F148529D416AF394DB39ED46CB91
                                                                                  Function 06A12728 Relevance: 1.1, Instructions: 1072COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 69c03c444681108b6267d09c69fae3deadc2e975083fa7c6b83d205234795531
                                                                                  • Instruction ID: 0cd930f91cc59f3a75c84b38e729bb027076a3b4d6f3005d5e85b87378202e83
                                                                                  • Opcode Fuzzy Hash: 69c03c444681108b6267d09c69fae3deadc2e975083fa7c6b83d205234795531
                                                                                  • Instruction Fuzzy Hash: 6BA22234A002088FDBA4EF68C584B9DBBF2EB49314F5584A9D409AF365DB35ED85CF90
                                                                                  Function 06A166D8 Relevance: .8, Instructions: 822COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5910ad0c97e4e52339014e88e2b00d1406306fface2ecf24baeba8118c7b511a
                                                                                  • Instruction ID: bc8654084bb107b2fad3d15887c222f872bde2a3891b78edc74c0b0107769e53
                                                                                  • Opcode Fuzzy Hash: 5910ad0c97e4e52339014e88e2b00d1406306fface2ecf24baeba8118c7b511a
                                                                                  • Instruction Fuzzy Hash: 6E628A34A002148FDB64EF68D594AADB7F2EF88314F149469E40ADF3A4DB35EC46CB90
                                                                                  Function 06A1C260 Relevance: .6, Instructions: 649COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 74ba59803dc4d435bbc7f6c4460d774af1b10ef075555395215c635da1774349
                                                                                  • Instruction ID: 718a1a38c6a5ede0c2a849382c083dac0c9f29cc4d5cd73b2dfe28fba7865bac
                                                                                  • Opcode Fuzzy Hash: 74ba59803dc4d435bbc7f6c4460d774af1b10ef075555395215c635da1774349
                                                                                  • Instruction Fuzzy Hash: AD329F30B402198FDF55EF68E590BAEB7B6EB88320F108525E506DB355DB38EC46CB91
                                                                                  Function 06A156A8 Relevance: .6, Instructions: 602COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 88f430299d40732d0ba3b3317c70ac34f18aece6acb3b5f4a55987a28599dadd
                                                                                  • Instruction ID: 14e84b64e4a3b587f106a5540b5bfb05fde9e133ae5fe67c9a64203b273e65a9
                                                                                  • Opcode Fuzzy Hash: 88f430299d40732d0ba3b3317c70ac34f18aece6acb3b5f4a55987a28599dadd
                                                                                  • Instruction Fuzzy Hash: 8722F4B5F002158FDB60EFA4D8906AEB7B2EBC5320F14882AD9599F354DB34DC42CB91
                                                                                  Function 06A1B2FF Relevance: .6, Instructions: 568COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dfa05ed61e66512931233bad4a7efe95b289232cb10816d1f8e60e9b8a60a2f7
                                                                                  • Instruction ID: 977f64fc93c1c9bb37418b2cc669673871df999a1b5ca2270dcba1db374d10c6
                                                                                  • Opcode Fuzzy Hash: dfa05ed61e66512931233bad4a7efe95b289232cb10816d1f8e60e9b8a60a2f7
                                                                                  • Instruction Fuzzy Hash: 0E224170E102098FDF64EF69D5907AEB7B6EB49310F248926E415DF395CA34DC82CBA1
                                                                                  Function 06A1ADA8 Relevance: 10.4, Strings: 8, Instructions: 388COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 6a1ada8-6a1adc6 1 6a1adc8-6a1adcb 0->1 2 6a1adcd-6a1ade9 1->2 3 6a1adee-6a1adf1 1->3 2->3 4 6a1adf3-6a1adf7 3->4 5 6a1ae02-6a1ae05 3->5 6 6a1afd4-6a1afde 4->6 7 6a1adfd 4->7 8 6a1ae15-6a1ae18 5->8 9 6a1ae07-6a1ae10 5->9 7->5 11 6a1afc5-6a1afce 8->11 12 6a1ae1e-6a1ae21 8->12 9->8 11->6 15 6a1ae64-6a1ae6d 11->15 13 6a1ae23-6a1ae30 12->13 14 6a1ae35-6a1ae38 12->14 13->14 19 6a1ae52-6a1ae55 14->19 20 6a1ae3a-6a1ae4d 14->20 17 6a1ae73-6a1ae77 15->17 18 6a1afdf-6a1b016 15->18 21 6a1ae7c-6a1ae7e 17->21 29 6a1b018-6a1b01b 18->29 23 6a1ae57-6a1ae5c 19->23 24 6a1ae5f-6a1ae62 19->24 20->19 26 6a1ae80 21->26 27 6a1ae85-6a1ae88 21->27 23->24 24->15 24->21 26->27 27->1 30 6a1ae8e-6a1aeb2 27->30 31 6a1b02a-6a1b02d 29->31 32 6a1b01d call 6a1b2ff 29->32 47 6a1afc2 30->47 48 6a1aeb8-6a1aec7 30->48 34 6a1b033-6a1b06e 31->34 35 6a1b296-6a1b299 31->35 36 6a1b023-6a1b025 32->36 43 6a1b261-6a1b274 34->43 44 6a1b074-6a1b080 34->44 37 6a1b2a6-6a1b2a9 35->37 38 6a1b29b-6a1b2a5 35->38 36->31 41 6a1b2ab-6a1b2c7 37->41 42 6a1b2cc-6a1b2cf 37->42 41->42 45 6a1b2d1-6a1b2d5 42->45 46 6a1b2e0-6a1b2e2 42->46 53 6a1b276-6a1b277 43->53 58 6a1b0a0-6a1b0e4 44->58 59 6a1b082-6a1b09b 44->59 45->34 50 6a1b2db 45->50 51 6a1b2e4 46->51 52 6a1b2e9-6a1b2ec 46->52 47->11 61 6a1aec9-6a1aecf 48->61 62 6a1aedf-6a1af1a call 6a16688 48->62 50->46 51->52 52->29 55 6a1b2f2-6a1b2fc 52->55 53->35 76 6a1b100-6a1b13f 58->76 77 6a1b0e6-6a1b0f8 58->77 59->53 63 6a1aed1 61->63 64 6a1aed3-6a1aed5 61->64 78 6a1af32-6a1af49 62->78 79 6a1af1c-6a1af22 62->79 63->62 64->62 85 6a1b145-6a1b220 call 6a16688 76->85 86 6a1b226-6a1b23b 76->86 77->76 91 6a1af61-6a1af72 78->91 92 6a1af4b-6a1af51 78->92 80 6a1af24 79->80 81 6a1af26-6a1af28 79->81 80->78 81->78 85->86 86->43 98 6a1af74-6a1af7a 91->98 99 6a1af8a-6a1afbb 91->99 94 6a1af53 92->94 95 6a1af55-6a1af57 92->95 94->91 95->91 101 6a1af7c 98->101 102 6a1af7e-6a1af80 98->102 99->47 101->99 102->99
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-1273862796
                                                                                  • Opcode ID: 88bae86d03fb66ffe31739bb3053e1c8a3454073eaaf3517724171c5ede73a86
                                                                                  • Instruction ID: 2efef9e72050fc050857227f169c923ff5611d9c0299325a8dfe7076c80579fa
                                                                                  • Opcode Fuzzy Hash: 88bae86d03fb66ffe31739bb3053e1c8a3454073eaaf3517724171c5ede73a86
                                                                                  • Instruction Fuzzy Hash: 04E18B30E012198FCB69EF69D5906AEB7B6EF89300F208529E519EF354DB34DC46CB91
                                                                                  Function 06A1B728 Relevance: 8.0, Strings: 6, Instructions: 473COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 256 6a1b728-6a1b74a 257 6a1b74c-6a1b74f 256->257 258 6a1b751-6a1b753 257->258 259 6a1b756-6a1b759 257->259 258->259 260 6a1b75b-6a1b7b8 call 6a16688 259->260 261 6a1b7bd-6a1b7c0 259->261 260->261 262 6a1b7c2-6a1b7c6 261->262 263 6a1b7e7-6a1b7ea 261->263 266 6a1bac3-6a1bafe 262->266 267 6a1b7cc-6a1b7dc 262->267 264 6a1b7fa-6a1b7fd 263->264 265 6a1b7ec-6a1b7f5 263->265 269 6a1b803-6a1b806 264->269 270 6a1b89a-6a1b8a3 264->270 265->264 279 6a1bb00-6a1bb03 266->279 285 6a1b7e2 267->285 286 6a1b8cb-6a1b8ce 267->286 273 6a1b808-6a1b80c 269->273 274 6a1b81d-6a1b820 269->274 275 6a1ba82-6a1ba8b 270->275 276 6a1b8a9 270->276 273->266 280 6a1b812-6a1b818 273->280 281 6a1b833-6a1b836 274->281 282 6a1b822-6a1b82e 274->282 275->266 283 6a1ba8d-6a1ba94 275->283 284 6a1b8ae-6a1b8b1 276->284 289 6a1bb05-6a1bb21 279->289 290 6a1bb26-6a1bb29 279->290 280->274 291 6a1b838-6a1b83f 281->291 292 6a1b84a-6a1b84d 281->292 282->281 293 6a1ba99-6a1ba9c 283->293 284->286 294 6a1b8b3-6a1b8b6 284->294 285->263 288 6a1b8d3-6a1b8d6 286->288 295 6a1b8d8-6a1b8dc 288->295 296 6a1b8ed-6a1b8f0 288->296 289->290 298 6a1bd95-6a1bd97 290->298 299 6a1bb2f-6a1bb57 290->299 300 6a1b8f2-6a1b8fb 291->300 301 6a1b845 291->301 304 6a1b85f-6a1b862 292->304 305 6a1b84f 292->305 302 6a1baa6-6a1baa8 293->302 303 6a1ba9e-6a1baa1 293->303 306 6a1b8c6-6a1b8c9 294->306 307 6a1b8b8-6a1b8c1 294->307 295->266 315 6a1b8e2-6a1b8e8 295->315 296->300 316 6a1b900-6a1b903 296->316 311 6a1bd99 298->311 312 6a1bd9e-6a1bda1 298->312 345 6a1bb61-6a1bba5 299->345 346 6a1bb59-6a1bb5c 299->346 300->316 301->292 313 6a1baaa 302->313 314 6a1baaf-6a1bab2 302->314 303->302 308 6a1b864-6a1b86a 304->308 309 6a1b86f-6a1b872 304->309 319 6a1b857-6a1b85a 305->319 306->286 306->288 307->306 308->309 320 6a1b895-6a1b898 309->320 321 6a1b874-6a1b878 309->321 311->312 312->279 324 6a1bda7-6a1bdb0 312->324 313->314 314->257 318 6a1bab8-6a1bac2 314->318 315->296 322 6a1b905-6a1b909 316->322 323 6a1b92a-6a1b92d 316->323 319->304 320->270 320->284 321->266 326 6a1b87e-6a1b88e 321->326 322->266 328 6a1b90f-6a1b91f 322->328 330 6a1b944-6a1b947 323->330 331 6a1b92f-6a1b932 323->331 326->322 343 6a1b890 326->343 328->262 344 6a1b925 328->344 330->286 332 6a1b949-6a1b94c 330->332 331->266 333 6a1b938-6a1b93f 331->333 335 6a1b96f-6a1b972 332->335 336 6a1b94e-6a1b96a 332->336 333->330 341 6a1b982-6a1b985 335->341 342 6a1b974-6a1b97d 335->342 336->335 348 6a1b987-6a1b988 341->348 349 6a1b98d-6a1b990 341->349 342->341 343->320 344->323 371 6a1bbab-6a1bbb4 345->371 372 6a1bd8a-6a1bd94 345->372 346->324 348->349 351 6a1b992-6a1b996 349->351 352 6a1b9a7-6a1b9aa 349->352 351->266 355 6a1b99c-6a1b9a2 351->355 356 6a1b9b4-6a1b9b7 352->356 357 6a1b9ac-6a1b9b1 352->357 355->352 358 6a1b9c7-6a1b9ca 356->358 359 6a1b9b9-6a1b9bc 356->359 357->356 362 6a1b9ec-6a1b9ef 358->362 363 6a1b9cc-6a1b9e7 358->363 359->331 361 6a1b9c2 359->361 361->358 362->286 364 6a1b9f5-6a1b9f8 362->364 363->362 367 6a1ba37-6a1ba3a 364->367 368 6a1b9fa-6a1ba0f 364->368 369 6a1ba74-6a1ba77 367->369 370 6a1ba3c-6a1ba51 367->370 368->266 379 6a1ba15-6a1ba32 368->379 369->359 373 6a1ba7d-6a1ba80 369->373 370->266 380 6a1ba53-6a1ba6f 370->380 374 6a1bd80-6a1bd85 371->374 375 6a1bbba-6a1bc26 call 6a16688 371->375 373->275 373->293 374->372 390 6a1bd20-6a1bd35 375->390 391 6a1bc2c-6a1bc31 375->391 379->367 380->369 390->374 393 6a1bc33-6a1bc39 391->393 394 6a1bc4d 391->394 395 6a1bc3b-6a1bc3d 393->395 396 6a1bc3f-6a1bc41 393->396 397 6a1bc4f-6a1bc55 394->397 398 6a1bc4b 395->398 396->398 399 6a1bc57-6a1bc5d 397->399 400 6a1bc6a-6a1bc77 397->400 398->397 401 6a1bc63 399->401 402 6a1bd0b-6a1bd1a 399->402 407 6a1bc79-6a1bc7f 400->407 408 6a1bc8f-6a1bc9c 400->408 401->400 403 6a1bcd2-6a1bcdf 401->403 404 6a1bc9e-6a1bcab 401->404 402->390 402->391 413 6a1bce1-6a1bce7 403->413 414 6a1bcf7-6a1bd04 403->414 416 6a1bcc3-6a1bcd0 404->416 417 6a1bcad-6a1bcb3 404->417 409 6a1bc81 407->409 410 6a1bc83-6a1bc85 407->410 408->402 409->408 410->408 420 6a1bce9 413->420 421 6a1bceb-6a1bced 413->421 414->402 416->402 418 6a1bcb5 417->418 419 6a1bcb7-6a1bcb9 417->419 418->416 419->416 420->414 421->414
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-3723351465
                                                                                  • Opcode ID: 2a0f953b190c20d4cf30e69c2e81f2900cac2f7dd1a989de3adc730058f28119
                                                                                  • Instruction ID: 7f53587915683a997bcce0221bdfc852f5c6d5c861be9cecef51d72a3bfacdbe
                                                                                  • Opcode Fuzzy Hash: 2a0f953b190c20d4cf30e69c2e81f2900cac2f7dd1a989de3adc730058f28119
                                                                                  • Instruction Fuzzy Hash: C3026C30E0021A8FDBA4EF68D590AADB7B6FF45300F14896AD405DF255DB34ED46CBA1
                                                                                  Function 06A0A0D1 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 424 6a0a0d1-6a0a0d8 425 6a0a0e1-6a0a16f GetCurrentProcess 424->425 426 6a0a0da-6a0a0e0 424->426 431 6a0a171-6a0a177 425->431 432 6a0a178-6a0a1ac GetCurrentThread 425->432 426->425 431->432 433 6a0a1b5-6a0a1e9 GetCurrentProcess 432->433 434 6a0a1ae-6a0a1b4 432->434 436 6a0a1f2-6a0a20d call 6a0a2b0 433->436 437 6a0a1eb-6a0a1f1 433->437 434->433 440 6a0a213-6a0a242 GetCurrentThreadId 436->440 437->436 441 6a0a244-6a0a24a 440->441 442 6a0a24b-6a0a2ad 440->442 441->442
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32 ref: 06A0A15E
                                                                                  • GetCurrentThread.KERNEL32 ref: 06A0A19B
                                                                                  • GetCurrentProcess.KERNEL32 ref: 06A0A1D8
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 06A0A231
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: Current$ProcessThread
                                                                                  • String ID:
                                                                                  • API String ID: 2063062207-0
                                                                                  • Opcode ID: 7e6d1080c32daac3d1d841f4d2f7d10484b54c76e1fb7100e11e35be627b5663
                                                                                  • Instruction ID: 0ceb8d53325f3772ce46c8c28662acc7284e3633b0062f209c8d5ba63848a08e
                                                                                  • Opcode Fuzzy Hash: 7e6d1080c32daac3d1d841f4d2f7d10484b54c76e1fb7100e11e35be627b5663
                                                                                  • Instruction Fuzzy Hash: 375187B09003499FDB54DFAAD948B9EBFF1FF49304F208459E109A72A1D7345884CB61
                                                                                  Function 06A0A0E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 449 6a0a0e0-6a0a16f GetCurrentProcess 454 6a0a171-6a0a177 449->454 455 6a0a178-6a0a1ac GetCurrentThread 449->455 454->455 456 6a0a1b5-6a0a1e9 GetCurrentProcess 455->456 457 6a0a1ae-6a0a1b4 455->457 459 6a0a1f2-6a0a20d call 6a0a2b0 456->459 460 6a0a1eb-6a0a1f1 456->460 457->456 463 6a0a213-6a0a242 GetCurrentThreadId 459->463 460->459 464 6a0a244-6a0a24a 463->464 465 6a0a24b-6a0a2ad 463->465 464->465
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32 ref: 06A0A15E
                                                                                  • GetCurrentThread.KERNEL32 ref: 06A0A19B
                                                                                  • GetCurrentProcess.KERNEL32 ref: 06A0A1D8
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 06A0A231
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: Current$ProcessThread
                                                                                  • String ID:
                                                                                  • API String ID: 2063062207-0
                                                                                  • Opcode ID: 8136ae8644cc4489952811a7bf84e6a37439ff5b53ba01bb69070d9a6de77aae
                                                                                  • Instruction ID: c776244cace03bea6a588dbd37a12f2ccb4c856444c5543437a7411e927c20e4
                                                                                  • Opcode Fuzzy Hash: 8136ae8644cc4489952811a7bf84e6a37439ff5b53ba01bb69070d9a6de77aae
                                                                                  • Instruction Fuzzy Hash: 7E5177B09003099FDB54DFAAD948BAEBBF1FF49304F208459E509A73A0D7349944CF65
                                                                                  Function 06A19230 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 472 6a19230-6a19255 473 6a19257-6a1925a 472->473 474 6a19260-6a19275 473->474 475 6a19b18-6a19b1b 473->475 483 6a19277-6a1927d 474->483 484 6a1928d-6a192a3 474->484 476 6a19b41-6a19b43 475->476 477 6a19b1d-6a19b3c 475->477 478 6a19b45 476->478 479 6a19b4a-6a19b4d 476->479 477->476 478->479 479->473 482 6a19b53-6a19b5d 479->482 485 6a19281-6a19283 483->485 486 6a1927f 483->486 489 6a192ae-6a192b0 484->489 485->484 486->484 490 6a192b2-6a192b8 489->490 491 6a192c8-6a19339 489->491 492 6a192ba 490->492 493 6a192bc-6a192be 490->493 502 6a19365-6a19381 491->502 503 6a1933b-6a1935e 491->503 492->491 493->491 508 6a19383-6a193a6 502->508 509 6a193ad-6a193c8 502->509 503->502 508->509 514 6a193f3-6a1940e 509->514 515 6a193ca-6a193ec 509->515 520 6a19410-6a1942c 514->520 521 6a19433-6a19441 514->521 515->514 520->521 522 6a19451-6a194cb 521->522 523 6a19443-6a1944c 521->523 529 6a19518-6a1952d 522->529 530 6a194cd-6a194eb 522->530 523->482 529->475 534 6a19507-6a19516 530->534 535 6a194ed-6a194fc 530->535 534->529 534->530 535->534
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-858218434
                                                                                  • Opcode ID: 8cf2e9b336acf2261e97aee045f1a2b0421610f5634497f089ca4389f851d5af
                                                                                  • Instruction ID: 15a2f0059594908615a23508403537da655c50630b1c67ce67f793c77020d901
                                                                                  • Opcode Fuzzy Hash: 8cf2e9b336acf2261e97aee045f1a2b0421610f5634497f089ca4389f851d5af
                                                                                  • Instruction Fuzzy Hash: 08914130B0021A9FDB94EF65D8607AFB7F6BF85204F108569D819EF344EA709D46CB92
                                                                                  Function 06A1D030 Relevance: 4.6, Strings: 3, Instructions: 800COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 538 6a1d030-6a1d04b 539 6a1d04d-6a1d050 538->539 540 6a1d052-6a1d094 539->540 541 6a1d099-6a1d09c 539->541 540->541 542 6a1d0e5-6a1d0e8 541->542 543 6a1d09e-6a1d0e0 541->543 545 6a1d0f7-6a1d0fa 542->545 546 6a1d0ea-6a1d0ec 542->546 543->542 549 6a1d143-6a1d146 545->549 550 6a1d0fc-6a1d10b 545->550 547 6a1d0f2 546->547 548 6a1d519 546->548 547->545 554 6a1d51c-6a1d528 548->554 555 6a1d148-6a1d18a 549->555 556 6a1d18f-6a1d192 549->556 552 6a1d11a-6a1d126 550->552 553 6a1d10d-6a1d112 550->553 558 6a1da4d-6a1da86 552->558 559 6a1d12c-6a1d13e 552->559 553->552 554->550 563 6a1d52e-6a1d81b 554->563 555->556 560 6a1d194-6a1d199 556->560 561 6a1d19c-6a1d19f 556->561 593 6a1da88-6a1da8b 558->593 559->549 560->561 564 6a1d1a1-6a1d1a3 561->564 565 6a1d1ae-6a1d1b1 561->565 752 6a1d821-6a1d827 563->752 753 6a1da42-6a1da4c 563->753 569 6a1d3d7-6a1d3e0 564->569 570 6a1d1a9 564->570 565->554 572 6a1d1b7-6a1d1ba 565->572 578 6a1d3e2-6a1d3e7 569->578 579 6a1d3ef-6a1d3fb 569->579 570->565 575 6a1d1dd-6a1d1e0 572->575 576 6a1d1bc-6a1d1d8 572->576 581 6a1d1e2-6a1d224 575->581 582 6a1d229-6a1d22c 575->582 576->575 578->579 583 6a1d401-6a1d415 579->583 584 6a1d50c-6a1d511 579->584 581->582 590 6a1d275-6a1d278 582->590 591 6a1d22e-6a1d270 582->591 583->548 608 6a1d41b-6a1d42d 583->608 584->548 596 6a1d2c1-6a1d2c4 590->596 597 6a1d27a-6a1d2bc 590->597 591->590 600 6a1da8d-6a1dab9 593->600 601 6a1dabe-6a1dac1 593->601 609 6a1d2e1-6a1d2e4 596->609 610 6a1d2c6-6a1d2dc 596->610 597->596 600->601 605 6a1dad0-6a1dad3 601->605 606 6a1dac3 call 6a1dba5 601->606 612 6a1dad5-6a1daf1 605->612 613 6a1daf6-6a1daf8 605->613 619 6a1dac9-6a1dacb 606->619 628 6a1d451-6a1d453 608->628 629 6a1d42f-6a1d435 608->629 615 6a1d2e6-6a1d328 609->615 616 6a1d32d-6a1d330 609->616 610->609 612->613 625 6a1dafa 613->625 626 6a1daff-6a1db02 613->626 615->616 623 6a1d332-6a1d374 616->623 624 6a1d379-6a1d37c 616->624 619->605 623->624 633 6a1d3c5-6a1d3c7 624->633 634 6a1d37e-6a1d38d 624->634 625->626 626->593 630 6a1db04-6a1db13 626->630 646 6a1d45d-6a1d469 628->646 638 6a1d437 629->638 639 6a1d439-6a1d445 629->639 658 6a1db15-6a1db78 call 6a16688 630->658 659 6a1db7a-6a1db8f 630->659 644 6a1d3c9 633->644 645 6a1d3ce-6a1d3d1 633->645 641 6a1d39c-6a1d3a8 634->641 642 6a1d38f-6a1d394 634->642 649 6a1d447-6a1d44f 638->649 639->649 641->558 653 6a1d3ae-6a1d3c0 641->653 642->641 644->645 645->539 645->569 664 6a1d477 646->664 665 6a1d46b-6a1d475 646->665 649->646 653->633 658->659 675 6a1db90 659->675 670 6a1d47c-6a1d47e 664->670 665->670 670->548 676 6a1d484-6a1d4a0 call 6a16688 670->676 675->675 690 6a1d4a2-6a1d4a7 676->690 691 6a1d4af-6a1d4bb 676->691 690->691 691->584 693 6a1d4bd-6a1d50a 691->693 693->548 754 6a1d836-6a1d83f 752->754 755 6a1d829-6a1d82e 752->755 754->558 756 6a1d845-6a1d858 754->756 755->754 758 6a1da32-6a1da3c 756->758 759 6a1d85e-6a1d864 756->759 758->752 758->753 760 6a1d873-6a1d87c 759->760 761 6a1d866-6a1d86b 759->761 760->558 762 6a1d882-6a1d8a3 760->762 761->760 765 6a1d8b2-6a1d8bb 762->765 766 6a1d8a5-6a1d8aa 762->766 765->558 767 6a1d8c1-6a1d8de 765->767 766->765 767->758 770 6a1d8e4-6a1d8ea 767->770 770->558 771 6a1d8f0-6a1d909 770->771 773 6a1da25-6a1da2c 771->773 774 6a1d90f-6a1d936 771->774 773->758 773->770 774->558 777 6a1d93c-6a1d946 774->777 777->558 778 6a1d94c-6a1d963 777->778 780 6a1d972-6a1d98d 778->780 781 6a1d965-6a1d970 778->781 780->773 786 6a1d993-6a1d9ac call 6a16688 780->786 781->780 790 6a1d9bb-6a1d9c4 786->790 791 6a1d9ae-6a1d9b3 786->791 790->558 792 6a1d9ca-6a1da1e 790->792 791->790 792->773
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q$$]q
                                                                                  • API String ID: 0-182748909
                                                                                  • Opcode ID: d0e799437d38e07bf30e5575f3ad251051eb6eb19f49275c9ec30f6995ce867b
                                                                                  • Instruction ID: 9806eb9a77da6b0228f47943e888e2c786a4ec3d1ff4bcf9160a40c5ab6f0665
                                                                                  • Opcode Fuzzy Hash: d0e799437d38e07bf30e5575f3ad251051eb6eb19f49275c9ec30f6995ce867b
                                                                                  • Instruction Fuzzy Hash: 4062613060061A8FCB55EF69E580A5EB7B6FF85304B208A69D005DF369EB75EC46CB90
                                                                                  Function 06A14C70 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 800 6a14c70-6a14c94 801 6a14c96-6a14c99 800->801 802 6a14c9b-6a14cb5 801->802 803 6a14cba-6a14cbd 801->803 802->803 804 6a14cc3-6a14dbb 803->804 805 6a1539c-6a1539e 803->805 823 6a14dc1-6a14e0e call 6a1551a 804->823 824 6a14e3e-6a14e45 804->824 806 6a153a0 805->806 807 6a153a5-6a153a8 805->807 806->807 807->801 809 6a153ae-6a153bb 807->809 837 6a14e14-6a14e30 823->837 825 6a14ec9-6a14ed2 824->825 826 6a14e4b-6a14ebb 824->826 825->809 843 6a14ec6 826->843 844 6a14ebd 826->844 840 6a14e32 837->840 841 6a14e3b-6a14e3c 837->841 840->841 841->824 843->825 844->843
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: fbq$XPbq$\Obq
                                                                                  • API String ID: 0-4057264190
                                                                                  • Opcode ID: 86a8382e60f39b7969432b512510449be4d98bb598e6efe3475ed8aa959bb431
                                                                                  • Instruction ID: 86b4f3a509861c8f96a654859a6c78acb3537f3b2f4f73c12fbc900ae13c8252
                                                                                  • Opcode Fuzzy Hash: 86a8382e60f39b7969432b512510449be4d98bb598e6efe3475ed8aa959bb431
                                                                                  • Instruction Fuzzy Hash: B0618070E002199FEB54EFA9C4547AEBBF6FF88700F20842AD106AF394DB758D458B91
                                                                                  Function 06A19220 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1149 6a19220-6a19255 1150 6a19257-6a1925a 1149->1150 1151 6a19260-6a19275 1150->1151 1152 6a19b18-6a19b1b 1150->1152 1160 6a19277-6a1927d 1151->1160 1161 6a1928d-6a192a3 1151->1161 1153 6a19b41-6a19b43 1152->1153 1154 6a19b1d-6a19b3c 1152->1154 1155 6a19b45 1153->1155 1156 6a19b4a-6a19b4d 1153->1156 1154->1153 1155->1156 1156->1150 1159 6a19b53-6a19b5d 1156->1159 1162 6a19281-6a19283 1160->1162 1163 6a1927f 1160->1163 1166 6a192ae-6a192b0 1161->1166 1162->1161 1163->1161 1167 6a192b2-6a192b8 1166->1167 1168 6a192c8-6a19339 1166->1168 1169 6a192ba 1167->1169 1170 6a192bc-6a192be 1167->1170 1179 6a19365-6a19381 1168->1179 1180 6a1933b-6a1935e 1168->1180 1169->1168 1170->1168 1185 6a19383-6a193a6 1179->1185 1186 6a193ad-6a193c8 1179->1186 1180->1179 1185->1186 1191 6a193f3-6a1940e 1186->1191 1192 6a193ca-6a193ec 1186->1192 1197 6a19410-6a1942c 1191->1197 1198 6a19433-6a19441 1191->1198 1192->1191 1197->1198 1199 6a19451-6a194cb 1198->1199 1200 6a19443-6a1944c 1198->1200 1206 6a19518-6a1952d 1199->1206 1207 6a194cd-6a194eb 1199->1207 1200->1159 1206->1152 1211 6a19507-6a19516 1207->1211 1212 6a194ed-6a194fc 1207->1212 1211->1206 1211->1207 1212->1211
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q
                                                                                  • API String ID: 0-127220927
                                                                                  • Opcode ID: 754a057924187798005eac2e077e560efd12dc2a0d03d8a799bcedb42dec35ed
                                                                                  • Instruction ID: c172ebd8c901d5ce8f6c36dbb62d26c9ad760250d89bcf31c724e951ed0fe525
                                                                                  • Opcode Fuzzy Hash: 754a057924187798005eac2e077e560efd12dc2a0d03d8a799bcedb42dec35ed
                                                                                  • Instruction Fuzzy Hash: 4E515430B001159FDB95EB75D860BAF77F6BB84604F108569D419EB354EA309C06CB92
                                                                                  Function 06A14C61 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1288 6a14c61-6a14c94 1290 6a14c96-6a14c99 1288->1290 1291 6a14c9b-6a14cb5 1290->1291 1292 6a14cba-6a14cbd 1290->1292 1291->1292 1293 6a14cc3-6a14dbb 1292->1293 1294 6a1539c-6a1539e 1292->1294 1312 6a14dc1-6a14e0e call 6a1551a 1293->1312 1313 6a14e3e-6a14e45 1293->1313 1295 6a153a0 1294->1295 1296 6a153a5-6a153a8 1294->1296 1295->1296 1296->1290 1298 6a153ae-6a153bb 1296->1298 1326 6a14e14-6a14e30 1312->1326 1314 6a14ec9-6a14ed2 1313->1314 1315 6a14e4b-6a14ebb 1313->1315 1314->1298 1332 6a14ec6 1315->1332 1333 6a14ebd 1315->1333 1329 6a14e32 1326->1329 1330 6a14e3b-6a14e3c 1326->1330 1329->1330 1330->1313 1332->1314 1333->1332
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: fbq$XPbq
                                                                                  • API String ID: 0-2292610095
                                                                                  • Opcode ID: 8745d2ba0c33a7e007474b29a1efc39b2cdf8b3e17a5da01f632660d19f41593
                                                                                  • Instruction ID: bbf8ec2e43b86a643015f622f37d4978f2fee901103ee5929bae94cf2f5c105a
                                                                                  • Opcode Fuzzy Hash: 8745d2ba0c33a7e007474b29a1efc39b2cdf8b3e17a5da01f632660d19f41593
                                                                                  • Instruction Fuzzy Hash: 78518270F002199FDB54DFA5C854BAEBBF6FF88710F20852AE106AF395DA758C018B91
                                                                                  Function 02D9EFB8 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4502549324.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2d90000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7ac0d16b57877d44cdf14f08a621f7baaf98973512e74a22000d4d5096e881af
                                                                                  • Instruction ID: a39758e77dffa354958652d9c01d855cc5c8cad453515ade9fdf743b3b6c0b9b
                                                                                  • Opcode Fuzzy Hash: 7ac0d16b57877d44cdf14f08a621f7baaf98973512e74a22000d4d5096e881af
                                                                                  • Instruction Fuzzy Hash: D041EF71E043558FCB14DFA9D8047AEBBF1EF89310F15866AD418A7741DB789885CBE0
                                                                                  Function 06A0672C Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A0684A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: 21b5ecbee71e5a8446b618b0030f5d4fc862630322df2e33d6f4f93c15e22d58
                                                                                  • Instruction ID: 3b61d12fd8e9e9b106f7e2b17bf8e255ecd1c0f1dd2440c52861e71ee896d4dd
                                                                                  • Opcode Fuzzy Hash: 21b5ecbee71e5a8446b618b0030f5d4fc862630322df2e33d6f4f93c15e22d58
                                                                                  • Instruction Fuzzy Hash: 5B51D0B0C00309AFDB14DF99D884ADEBBB5FF48314F24812AE818AB250D774A885CF90
                                                                                  Function 06A06738 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06A0684A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 716092398-0
                                                                                  • Opcode ID: 10d0f35a6dcdb653deafa3ec68b0987af35bc75740365c6739720426604eb390
                                                                                  • Instruction ID: b1ba92b94df0443c1442ff6e25ece6a836455bae3cf7c8181ad1f9d14b4f814c
                                                                                  • Opcode Fuzzy Hash: 10d0f35a6dcdb653deafa3ec68b0987af35bc75740365c6739720426604eb390
                                                                                  • Instruction Fuzzy Hash: 6141C0B1D00309EFDB14DF9AD884ADEBBB5BF49314F24812AE818AB250D775A855CF90
                                                                                  Function 06A0A0B4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 06A0B679
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallProcWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2714655100-0
                                                                                  • Opcode ID: ef8f8dd9180cc258162d1ce4ee6ede297446ebb7d029beb167578ab163ef224c
                                                                                  • Instruction ID: 0c89e9ce9562801593b1e63367a67a28915b1b77548b4de6039d1b99881af662
                                                                                  • Opcode Fuzzy Hash: ef8f8dd9180cc258162d1ce4ee6ede297446ebb7d029beb167578ab163ef224c
                                                                                  • Instruction Fuzzy Hash: 784169B4900304CFDB44DF89C988AAABBF9FF88314F248498D519AB361D335A840CFA0
                                                                                  Function 06A0BF06 Relevance: 1.6, APIs: 1, Instructions: 73comclipboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: Clipboard
                                                                                  • String ID:
                                                                                  • API String ID: 220874293-0
                                                                                  • Opcode ID: e8bd928a2503b1ba85a44ad7f4c284b269e580a845f2e56a23d2ef52dc197bc1
                                                                                  • Instruction ID: 23b54e30dca3a225a296354c9387a87ef0aecf082a8d0c71428a0e7000e189c2
                                                                                  • Opcode Fuzzy Hash: e8bd928a2503b1ba85a44ad7f4c284b269e580a845f2e56a23d2ef52dc197bc1
                                                                                  • Instruction Fuzzy Hash: 843112B0D01208EFEB54DF99D984BCEBBF5AF48314F208019E005AB390D775A945CFA5
                                                                                  Function 06A0BF08 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: Clipboard
                                                                                  • String ID:
                                                                                  • API String ID: 220874293-0
                                                                                  • Opcode ID: eaeca54a50eee4826bef2d108a5f63711874d6da77837d2f6415cf81592ccd1a
                                                                                  • Instruction ID: 3e2d2e9023f3c06ef903060549bb77c3d18000176e0ee115838fa3a2f74ba96b
                                                                                  • Opcode Fuzzy Hash: eaeca54a50eee4826bef2d108a5f63711874d6da77837d2f6415cf81592ccd1a
                                                                                  • Instruction Fuzzy Hash: 1C3112B0D01208EFEB54DF99D984B8DBBF5AF48314F208019E005AB390D775A945CFA5
                                                                                  Function 06A0BD60 Relevance: 1.6, APIs: 1, Instructions: 71comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OleInitialize.OLE32(00000000), ref: 06A0BE15
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: Initialize
                                                                                  • String ID:
                                                                                  • API String ID: 2538663250-0
                                                                                  • Opcode ID: 27c31418143bcec58392909ec0282c3833bdb07b50d6269f5e793f9a3b3eec79
                                                                                  • Instruction ID: ab0286c30ce5ff817ae46f7e2af3e424c02c91acafaa194f3f246d286e246f65
                                                                                  • Opcode Fuzzy Hash: 27c31418143bcec58392909ec0282c3833bdb07b50d6269f5e793f9a3b3eec79
                                                                                  • Instruction Fuzzy Hash: 52219D718003448FDB60EFA9E645BDBBFF4EF49314F14485AE449A7250C37AA588CBA1
                                                                                  Function 06A0A320 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A0A3AF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 2baefebe79c93c4d02d4e16681f2edb44186608584a47280a29467e22cab849b
                                                                                  • Instruction ID: e896101ac6cf3d6a42d44dcba339cad37d07c8f1e33e22e282f93065fb4b806c
                                                                                  • Opcode Fuzzy Hash: 2baefebe79c93c4d02d4e16681f2edb44186608584a47280a29467e22cab849b
                                                                                  • Instruction Fuzzy Hash: 2921D6B59003489FDB10DF9AD984ADEBFF9EB48310F14801AE954A7251D374A945CFA1
                                                                                  Function 06A0A328 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A0A3AF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: ec8782990ea6d04750121f7ab41308bef86ecfcf0ab6913d79ae365702f6d97d
                                                                                  • Instruction ID: 723c5a4ea8422390c74aa0b18939b8e6a213bfd6b1eea2447f3abf231f57936f
                                                                                  • Opcode Fuzzy Hash: ec8782990ea6d04750121f7ab41308bef86ecfcf0ab6913d79ae365702f6d97d
                                                                                  • Instruction Fuzzy Hash: DC21E4B59003089FDB10CF9AD984ADEFBF9FB48310F14801AE918A3350D378A944CFA1
                                                                                  Function 06A0DCCB Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06A0DD4B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: HookWindows
                                                                                  • String ID:
                                                                                  • API String ID: 2559412058-0
                                                                                  • Opcode ID: bf62b175b2ddd61707a8332b803065f991f04ab6658aaf1c4dc16f99c0911be8
                                                                                  • Instruction ID: 4f9e5cb8f65231387667db33702524db7fa1c065fea94f3ceaa5105b81d81f2f
                                                                                  • Opcode Fuzzy Hash: bf62b175b2ddd61707a8332b803065f991f04ab6658aaf1c4dc16f99c0911be8
                                                                                  • Instruction Fuzzy Hash: AF2104B59002099FDB54DF99D844BEEBBF5AF89310F10842AE458A7250C774A945CFA1
                                                                                  Function 02D98038 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 02D980B0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4502549324.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2d90000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: DeleteFile
                                                                                  • String ID:
                                                                                  • API String ID: 4033686569-0
                                                                                  • Opcode ID: 43a0584e7cb3709f93195ba14a36c4178fcc0f5de97b62ff6623246fcd222edd
                                                                                  • Instruction ID: 0ac35aed568cfcfba78c0da8bbb0a5930e91116c60a3f9f938b40dcea29fb76b
                                                                                  • Opcode Fuzzy Hash: 43a0584e7cb3709f93195ba14a36c4178fcc0f5de97b62ff6623246fcd222edd
                                                                                  • Instruction Fuzzy Hash: 242113B1C0061A9BCB24DF9AC544B9EFBB4FB49720F14812AE858A7340D778A944CFA1
                                                                                  Function 06A0DCD0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06A0DD4B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: HookWindows
                                                                                  • String ID:
                                                                                  • API String ID: 2559412058-0
                                                                                  • Opcode ID: a9a67c2c3a8686d1df0405f6552dc2aabfe825fc0270b3910383f3b4cd1f4de8
                                                                                  • Instruction ID: 7f5f88d37e5aed5c5c778c8ead2b574f178cf5607406cab45484e6c5690ca414
                                                                                  • Opcode Fuzzy Hash: a9a67c2c3a8686d1df0405f6552dc2aabfe825fc0270b3910383f3b4cd1f4de8
                                                                                  • Instruction Fuzzy Hash: F72102B59002099FDB54DF9AD844BEEBBF5AF89310F10842AE458A7290C778A945CFA1
                                                                                  Function 02D98040 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 02D980B0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4502549324.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2d90000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: DeleteFile
                                                                                  • String ID:
                                                                                  • API String ID: 4033686569-0
                                                                                  • Opcode ID: be4f73fc86e249639f8981de4206160dc6fbb52c45b27575c69123bd39096fca
                                                                                  • Instruction ID: 39464933e4c0fdd52acb0ff6a99e25ce670c410a1aa3a39d5d926aabb7aa0d90
                                                                                  • Opcode Fuzzy Hash: be4f73fc86e249639f8981de4206160dc6fbb52c45b27575c69123bd39096fca
                                                                                  • Instruction Fuzzy Hash: 8C1124B1C006199BCB24DF9AC544B9EFBB4BF49720F10812AD858A7340D778A944CFA1
                                                                                  Function 02D9F0A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 02D9F107
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4502549324.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_2d90000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: GlobalMemoryStatus
                                                                                  • String ID:
                                                                                  • API String ID: 1890195054-0
                                                                                  • Opcode ID: a4b0849b19ba8f57810b4b7a160cec07fb7b83269c2d8434634c10e1dfbe99dc
                                                                                  • Instruction ID: f95423082e82a51bd3be0d8859fa66f8e58c31a50f8b194cd795e7dd87f29a07
                                                                                  • Opcode Fuzzy Hash: a4b0849b19ba8f57810b4b7a160cec07fb7b83269c2d8434634c10e1dfbe99dc
                                                                                  • Instruction Fuzzy Hash: BB11DDB1C006599BCB10DFAAD544B9EFBB4AF48324F14816AE818B7240D778A945CFE5
                                                                                  Function 06A05688 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 06A056F6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: 714599bab08f70527a27626d66d40cfb5ac1436a0c80babbfbdf2bcce52f41af
                                                                                  • Instruction ID: 26bbfad267fda3e18347859e1a2777d673728e5117854bb1a5e9102cf6c94c5f
                                                                                  • Opcode Fuzzy Hash: 714599bab08f70527a27626d66d40cfb5ac1436a0c80babbfbdf2bcce52f41af
                                                                                  • Instruction Fuzzy Hash: 621102B5C002498FDB20DF9AD944BDEFBF9EB49320F14855AD819B7240C379A545CFA1
                                                                                  Function 06A04648 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 06A056F6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: 6d586562750640b7f0ff41a23b84db64b3de408d69150dac6309b79dbc54c37f
                                                                                  • Instruction ID: a6dc6facc16cb03017cfcf8534a93c84e12764b9f1f33f76668c97b1a1720c56
                                                                                  • Opcode Fuzzy Hash: 6d586562750640b7f0ff41a23b84db64b3de408d69150dac6309b79dbc54c37f
                                                                                  • Instruction Fuzzy Hash: D211F0B5C003498FDB10DF9AD548B9EFBF8EB89320F14845AD919B7240C379A545CFA5
                                                                                  Function 06A0BDB9 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OleInitialize.OLE32(00000000), ref: 06A0BE15
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: Initialize
                                                                                  • String ID:
                                                                                  • API String ID: 2538663250-0
                                                                                  • Opcode ID: c687b22adf2219da80cba142b60d5b8baeaf982973481562d7f96e7a6bb99a03
                                                                                  • Instruction ID: c4b45d0458e2b7d56f3fafccb6f64fc0b96b0b1c852470e6f570d3ea64d3abd4
                                                                                  • Opcode Fuzzy Hash: c687b22adf2219da80cba142b60d5b8baeaf982973481562d7f96e7a6bb99a03
                                                                                  • Instruction Fuzzy Hash: 1C1148B4800348CFCB20DF9AD544BDEBBF8EB49324F108459D558A7200C339A944CFA1
                                                                                  Function 06A0B8F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06A0B8CD), ref: 06A0B957
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherUser
                                                                                  • String ID:
                                                                                  • API String ID: 2492992576-0
                                                                                  • Opcode ID: a0b71dc136e8644b329a9ada027278c6d828bd50a1d33a308ae85129734edf06
                                                                                  • Instruction ID: 69c8e2a5f469f2a155ada86f27e6da30e9134b7097333645173768fec72bbf36
                                                                                  • Opcode Fuzzy Hash: a0b71dc136e8644b329a9ada027278c6d828bd50a1d33a308ae85129734edf06
                                                                                  • Instruction Fuzzy Hash: F31103B5800249CFDB20DF9AD944BDEBBF8EB49324F20841AD568B7250C779A944CFA5
                                                                                  Function 06A0AF64 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06A0B8CD), ref: 06A0B957
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherUser
                                                                                  • String ID:
                                                                                  • API String ID: 2492992576-0
                                                                                  • Opcode ID: a7e865532682a0807601f6b56ec9810f7bcfcc60f9066c8acfab24fcdd094430
                                                                                  • Instruction ID: 7957292929cb68b1d2d5dc57d0bc99bd82417fbc5d3a699caeee0f87ccf9c254
                                                                                  • Opcode Fuzzy Hash: a7e865532682a0807601f6b56ec9810f7bcfcc60f9066c8acfab24fcdd094430
                                                                                  • Instruction Fuzzy Hash: 061133B0800349CFDB60DF9AD544B9EBBF8EF48320F20845AD529B7250C379A944CFA4
                                                                                  Function 06A0B19C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OleInitialize.OLE32(00000000), ref: 06A0BE15
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507633419.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a00000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID: Initialize
                                                                                  • String ID:
                                                                                  • API String ID: 2538663250-0
                                                                                  • Opcode ID: 085c2d5bb432fe56c2fad5a82eae5d0a9676c27a6d8f106cf5c23debd95a93fa
                                                                                  • Instruction ID: 4f17203f5da82e9406cab5649ac6deb48b72e4e23c8c6679d26003d56d3e0c8a
                                                                                  • Opcode Fuzzy Hash: 085c2d5bb432fe56c2fad5a82eae5d0a9676c27a6d8f106cf5c23debd95a93fa
                                                                                  • Instruction Fuzzy Hash: 3E1112B5800349CFDB20EF9AD548B9EFBF8EB49324F20845AD518B7250D379A944CFA5
                                                                                  Function 06A1DBA5 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: PH]q
                                                                                  • API String ID: 0-3168235125
                                                                                  • Opcode ID: 5d75187a27ae2d281ca42954ea3deae2b36c0cdf02ade30792f7c01c7d00f104
                                                                                  • Instruction ID: c497c04b422016f4f4765f3a53c07d38d4cfbd77592e62b4c3f77b8b871b338a
                                                                                  • Opcode Fuzzy Hash: 5d75187a27ae2d281ca42954ea3deae2b36c0cdf02ade30792f7c01c7d00f104
                                                                                  • Instruction Fuzzy Hash: 75419D70E0020ADFDB65AF75D59069EBBB2BF85700F104929D405EF254EBB1E946CB81
                                                                                  Function 06A121D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: PH]q
                                                                                  • API String ID: 0-3168235125
                                                                                  • Opcode ID: 54b19282fe63c63a6b93304311df3a92ddf77414bfc6f6274f4aab28211c5a34
                                                                                  • Instruction ID: 14b09a878160a786595354235fb6ec7c84e519221e1450a78524627c2ec89cc0
                                                                                  • Opcode Fuzzy Hash: 54b19282fe63c63a6b93304311df3a92ddf77414bfc6f6274f4aab28211c5a34
                                                                                  • Instruction Fuzzy Hash: 1531F030B002058FDB59AB74E46076E7AE6BF89600F204578D406DF399EE35DD46CBA1
                                                                                  Function 06A14B59 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: \Obq
                                                                                  • API String ID: 0-2878401908
                                                                                  • Opcode ID: 91df74a9f7f5d900dab786a2ef1ed79bbaddc7f0228056aeb1413fd8fcca5bb2
                                                                                  • Instruction ID: ce75462a77a6f064cfabdfb7b50f2005e3f9cc254059aa160f86224a28a9db19
                                                                                  • Opcode Fuzzy Hash: 91df74a9f7f5d900dab786a2ef1ed79bbaddc7f0228056aeb1413fd8fcca5bb2
                                                                                  • Instruction Fuzzy Hash: 65F0FE70A54129DFDB14DF94E898BAEBBB2FF88701F204119E402AB294CBB01C01CF80
                                                                                  Function 06A162D8 Relevance: .2, Instructions: 229COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8a55b391d0c5556b2f0384c96cbbf1953218939c000de6ab5685b0fd991268c5
                                                                                  • Instruction ID: 82069e263dd9ad2dc1234ccb93caa294efeb3601fb3e2baf45663bdc165004d6
                                                                                  • Opcode Fuzzy Hash: 8a55b391d0c5556b2f0384c96cbbf1953218939c000de6ab5685b0fd991268c5
                                                                                  • Instruction Fuzzy Hash: 6C618F71F001214FDB64AB6AC88066FBADBAFD4224B254479D80EDB364DE69ED0287D1
                                                                                  Function 06A143A0 Relevance: .2, Instructions: 228COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 013f3cf19c3420b1ba65019164d7d6d20de22810bb35980975ffd1685eca6d77
                                                                                  • Instruction ID: 0c8b93d7e014b30a75ba639f633b7924b7474b61dac3958e9165958ba26bef3c
                                                                                  • Opcode Fuzzy Hash: 013f3cf19c3420b1ba65019164d7d6d20de22810bb35980975ffd1685eca6d77
                                                                                  • Instruction Fuzzy Hash: 7A815D30B0060A8FDB54EFA9D45069EB7F2EB88304F108529D40ADF398EB34DC468B91
                                                                                  Function 06A146C0 Relevance: .2, Instructions: 218COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c01634b41ff82e4c583b9ae8926b7834d8b3204ff4de6b70a4dbaaab60b4ce77
                                                                                  • Instruction ID: 1754faad149dbd4290cb0f321475c1fb8ba25119b8614bd239d9a2347518f2c7
                                                                                  • Opcode Fuzzy Hash: c01634b41ff82e4c583b9ae8926b7834d8b3204ff4de6b70a4dbaaab60b4ce77
                                                                                  • Instruction Fuzzy Hash: 8B914D30E1021A8FDF60DF68C890B9DB7B1FF89300F20859AD54DAB255DB74AA85CF91
                                                                                  Function 06A146D8 Relevance: .2, Instructions: 210COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c31a7a6f4a0f060c716df41457e26f8c42e246f3a1533475c201d4d7903a2a27
                                                                                  • Instruction ID: 9e865f9c1bce13cab4975c14633897135547aa915b7c3e3e789e413078d4aeba
                                                                                  • Opcode Fuzzy Hash: c31a7a6f4a0f060c716df41457e26f8c42e246f3a1533475c201d4d7903a2a27
                                                                                  • Instruction Fuzzy Hash: C3913C34E1021A8BDF60DF68C890B9DB7B1FF89304F208599D54DAB255DB70AA85CF91
                                                                                  Function 06A1F008 Relevance: .2, Instructions: 201COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: aabff80ca901698109c9508ecba0b080324cf2be87608db2b26ccd19fd0ae917
                                                                                  • Instruction ID: 4bb4bf0b1ba75a7004c28fcd1111ea5e22f4ba48f6063e62f2952c0ceaf3437e
                                                                                  • Opcode Fuzzy Hash: aabff80ca901698109c9508ecba0b080324cf2be87608db2b26ccd19fd0ae917
                                                                                  • Instruction Fuzzy Hash: DC713C74A002499FDB54EFA9D990A9DBBF6FF88300F158569D409EB364EB30EC46CB50
                                                                                  Function 06A1F018 Relevance: .2, Instructions: 201COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bcd1129e5c8c2a17179e62f04a55468da7e63e00d6ab634033588beb5ae543ef
                                                                                  • Instruction ID: 7e2d469c2f748111de9b9a811f82ff193fe8b2d7372bf10fcdf09e6a90242c4e
                                                                                  • Opcode Fuzzy Hash: bcd1129e5c8c2a17179e62f04a55468da7e63e00d6ab634033588beb5ae543ef
                                                                                  • Instruction Fuzzy Hash: 66713B74A002499FDB54EFA9D990A9EBBF6FF88300F148569D409EB364DB30EC46CB50
                                                                                  Function 06A1FC98 Relevance: .2, Instructions: 174COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 122bd9d2efe8f3af62b161814c790e0067480d3e352bcf15aa0970da1199100d
                                                                                  • Instruction ID: 4912e8303530dc08d2017a2d4345e7b06b4fe24482a0c35876c0c98ea3d63d7e
                                                                                  • Opcode Fuzzy Hash: 122bd9d2efe8f3af62b161814c790e0067480d3e352bcf15aa0970da1199100d
                                                                                  • Instruction Fuzzy Hash: 1D51F071E00155DFCB64BBB8E4842AEBBF2FF89315F108829E50ADF295DB318945CB81
                                                                                  Function 06A1FA48 Relevance: .2, Instructions: 164COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 122e0262c911d044cd346cb8dc6bc87f68950fa70168cc56b92e0639e1e06e69
                                                                                  • Instruction ID: 9735ae6c629421b5ab6df14e383f84b743cf97c668f4b7529b5559a0e80cbf1d
                                                                                  • Opcode Fuzzy Hash: 122e0262c911d044cd346cb8dc6bc87f68950fa70168cc56b92e0639e1e06e69
                                                                                  • Instruction Fuzzy Hash: DD51F970B102548FEF65776DD95472F269FDB89350F104926E90ACF3AADA2CCC458392
                                                                                  Function 06A1FA58 Relevance: .2, Instructions: 163COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 68608b8740b168c4bda2faeac898825edd996a973c7fd4d1d8636ecd654e0ccf
                                                                                  • Instruction ID: c8cf55b62d0d18f58d9737c9bf18d38c72d22dcb5d8a76a792a1f00d9542f75a
                                                                                  • Opcode Fuzzy Hash: 68608b8740b168c4bda2faeac898825edd996a973c7fd4d1d8636ecd654e0ccf
                                                                                  • Instruction Fuzzy Hash: A9511970B102548FEF65776DD95472F269FD789350F20092AE90BCF3AADA2CCC458392
                                                                                  Function 06A1551A Relevance: .1, Instructions: 134COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 51abd0d39986d6e44e6c88befd2d7a771e4ca449036448a90f4efb9a0dc8d25b
                                                                                  • Instruction ID: e0a2ab573a25cf184a57fe1f998f72a10ed8dbb7352a84172c0f189c03c54b83
                                                                                  • Opcode Fuzzy Hash: 51abd0d39986d6e44e6c88befd2d7a771e4ca449036448a90f4efb9a0dc8d25b
                                                                                  • Instruction Fuzzy Hash: EF416FB1E006098FDF70DFA9C880AAFFBB2EB95310F14492AD155DB650D731E945CB91
                                                                                  Function 06A15698 Relevance: .1, Instructions: 107COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1b3fec386b52a3338e85d16864b39d4216615fa5049bc897e037eeee34032e5e
                                                                                  • Instruction ID: f411b6b17e56f03dae7808c178b73ebceb102efc24fb06c0c57483a111a755df
                                                                                  • Opcode Fuzzy Hash: 1b3fec386b52a3338e85d16864b39d4216615fa5049bc897e037eeee34032e5e
                                                                                  • Instruction Fuzzy Hash: 9531B2B5E102098FDF60AF69C4C06AEFBB1FBC5320F25892AD469DF251C234E941CB91
                                                                                  Function 06A1DA59 Relevance: .1, Instructions: 100COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 368536c99f870d00b22bb2bdef6fbeb453c7d0ea2a98c6fe1c6eb81fb09e84d3
                                                                                  • Instruction ID: 5b853a69eed3394949f2dcddc423d3ade64cced2db9366803f167b34a194e3f4
                                                                                  • Opcode Fuzzy Hash: 368536c99f870d00b22bb2bdef6fbeb453c7d0ea2a98c6fe1c6eb81fb09e84d3
                                                                                  • Instruction Fuzzy Hash: 1F31E630A0431A8FCF64EFA9D480A8EB7B6FF85304F108529E505EF214EB70E946CB81
                                                                                  Function 06A12089 Relevance: .1, Instructions: 96COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 759b6b7c1229992e1cb257c403d3300bee4596d6cbc6b6a4c79e4088004855e8
                                                                                  • Instruction ID: 4e85bbf684baf178dd26fba6013b8831dfab21e19d1527090669acce5cabdffb
                                                                                  • Opcode Fuzzy Hash: 759b6b7c1229992e1cb257c403d3300bee4596d6cbc6b6a4c79e4088004855e8
                                                                                  • Instruction Fuzzy Hash: BA319234E002159BCB59DF65D99469EB7F2FF89300F108919E906EB350DB71ED46CB90
                                                                                  Function 06A12098 Relevance: .1, Instructions: 91COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4b387a9de5ed412f96783e5850a480cf30686215aa360383a627fdcccdd58315
                                                                                  • Instruction ID: 678a856971e135ce63b016c31bdbdd912438f6eeb0f4e0d6e40a9991c18f2627
                                                                                  • Opcode Fuzzy Hash: 4b387a9de5ed412f96783e5850a480cf30686215aa360383a627fdcccdd58315
                                                                                  • Instruction Fuzzy Hash: C231A030E002158BCB59DF65D95469EB7F2FF89300F108929E906EB350DB71ED82CB90
                                                                                  Function 06A16558 Relevance: .1, Instructions: 91COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e7029deb84dd7532c8c50274759d4fe9158253f5141aaed0ff73d2de89ae1426
                                                                                  • Instruction ID: 8d56fde45b2f8457e1b75b14599226149d3427f0465136b54cf76b633d6c526b
                                                                                  • Opcode Fuzzy Hash: e7029deb84dd7532c8c50274759d4fe9158253f5141aaed0ff73d2de89ae1426
                                                                                  • Instruction Fuzzy Hash: D1317CB1D012199FCB10DFA9C985BDEFBB8FB09324F10816AE418EB241D3759940CBA4
                                                                                  Function 06A13FA8 Relevance: .1, Instructions: 81COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 26cd180874fad6e7fd29a1343329720b80fcf1724da68887b34496f52e5a4469
                                                                                  • Instruction ID: fdc8d93fb47ae7e7e46b27f9cb0b0fe7f1a0770b38dd5ba934ca1f941547e4ab
                                                                                  • Opcode Fuzzy Hash: 26cd180874fad6e7fd29a1343329720b80fcf1724da68887b34496f52e5a4469
                                                                                  • Instruction Fuzzy Hash: 83218B71F00219AFDB50DF79E841AAEBBF5EB48710F144029E945EB358E735D802CBA1
                                                                                  Function 06A13FB8 Relevance: .1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ba261fb816b4873c6dc23ab5066cf6f481795d2c82856e47cc7e63c36e5548b1
                                                                                  • Instruction ID: b42745c89ae3c124c3cdb5004aeecbec7e9f239d28d76ec2d8d03f92ed236190
                                                                                  • Opcode Fuzzy Hash: ba261fb816b4873c6dc23ab5066cf6f481795d2c82856e47cc7e63c36e5548b1
                                                                                  • Instruction Fuzzy Hash: F3218E75F002199FDB50EF69D880AAEB7F5FB48710F104025E915EB354E735D901CB91
                                                                                  Function 06A1A3E2 Relevance: .1, Instructions: 74COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1ccb45d8dba52c9be0f37b69dd6b13e1b72db44f11ccbc834750e0b47761c102
                                                                                  • Instruction ID: c54d528cfe6cd6fde222c88d376de999c37b6d86993c485e36db7cccb9204127
                                                                                  • Opcode Fuzzy Hash: 1ccb45d8dba52c9be0f37b69dd6b13e1b72db44f11ccbc834750e0b47761c102
                                                                                  • Instruction Fuzzy Hash: C8113B35B021244FCB51FBB8E5546AEB7F2EB86315B10856AE20ADF211DA31DD06CB81
                                                                                  Function 0144D030 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4502200818.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_144d000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ccb6424b44f070d68f0f28ed4fbca4d566bec991083a0180145a295944f82092
                                                                                  • Instruction ID: c43d8134a3ff26637dc68b5bf49b1dfd5856444aa0672376cd5ade74eac1b78c
                                                                                  • Opcode Fuzzy Hash: ccb6424b44f070d68f0f28ed4fbca4d566bec991083a0180145a295944f82092
                                                                                  • Instruction Fuzzy Hash: 052125B1904204DFEB15DF98D980B26BBA5FB94318F20C56ED90A0B366C33AD407CA62
                                                                                  Function 0144D118 Relevance: .1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4502200818.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_144d000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7179220439985a1589b002891ecc5a411638955c962cb4be67df4b0992869ddc
                                                                                  • Instruction ID: 2273e87ba1064bd2f9ad0a085abd4a508933ac3ab7e210c0cc5084b335485b01
                                                                                  • Opcode Fuzzy Hash: 7179220439985a1589b002891ecc5a411638955c962cb4be67df4b0992869ddc
                                                                                  • Instruction Fuzzy Hash: 0721F271A04204DFEB05DF58C9C0B26BF65FB94314F24C5AEDD094B366C33AD846C661
                                                                                  Function 0144D006 Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4502200818.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_144d000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d401107a71d16e838e9c075c4225ca3aa4d2689b23b6dcf2e540a1ffc272a566
                                                                                  • Instruction ID: 837d35d6291e7462ba205a9314626a2599c3f1532df0181b539c3a9208b8312c
                                                                                  • Opcode Fuzzy Hash: d401107a71d16e838e9c075c4225ca3aa4d2689b23b6dcf2e540a1ffc272a566
                                                                                  • Instruction Fuzzy Hash: C5216B7550D3C08FDB13CF64C990711BF71AB46214F29C5EBD9898F6A7C23A980ACB62
                                                                                  Function 06A16DF8 Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: aba31ecf1d626750daac80bd176a920e8f9f257eb6dd2a78b5484666e8d5806b
                                                                                  • Instruction ID: a975bcc16560c32cfe671380c7bd603bf7fd22cf95598c5d14d47a93ebe257ff
                                                                                  • Opcode Fuzzy Hash: aba31ecf1d626750daac80bd176a920e8f9f257eb6dd2a78b5484666e8d5806b
                                                                                  • Instruction Fuzzy Hash: 8021E130B001199FDF44EB6AE9506AEB7B7EF85310F148529E509EF394EB30ED028B84
                                                                                  Function 06A14300 Relevance: .1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2c035a17544a97d4f1da2e5c8c90e7718650c5a41527de9b7c299cafe048f402
                                                                                  • Instruction ID: 97735cfef86b57c97f06b03bdcb136be7761fcfbd7320430a759cb9f1bc9aae3
                                                                                  • Opcode Fuzzy Hash: 2c035a17544a97d4f1da2e5c8c90e7718650c5a41527de9b7c299cafe048f402
                                                                                  • Instruction Fuzzy Hash: 2101D271B002211FD795AA6DE80075FFAEBDBC9711F10443AE10ACF351EA21DD034391
                                                                                  Function 06A140C8 Relevance: .1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: df156613c9ab821ec3668399e164d017619eaab42864e8dd39cf7aa9532e3983
                                                                                  • Instruction ID: 80e8132091f6b659f9344d41f8adbe5516f2d108da0f3ec890142c6c9dbe0b98
                                                                                  • Opcode Fuzzy Hash: df156613c9ab821ec3668399e164d017619eaab42864e8dd39cf7aa9532e3983
                                                                                  • Instruction Fuzzy Hash: D0118E32B001294BDB54A66CD8246AE73FBEBCC351F018539D50AEB354DA25DC068BE1
                                                                                  Function 06A1AFF8 Relevance: .1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a07d203d96fb8d591faad7981e483056f2fdbd3593bb665c12a60057a905539e
                                                                                  • Instruction ID: f3dd6382d3f60f9dd27e0db5f6750cb796bc8e0b91e697cd0c5ac0f5fe3f7771
                                                                                  • Opcode Fuzzy Hash: a07d203d96fb8d591faad7981e483056f2fdbd3593bb665c12a60057a905539e
                                                                                  • Instruction Fuzzy Hash: 85115171D1076E9BCF61DFA5C85069EBBB6BF85340F11451AE805FF200EBB0A949CB91
                                                                                  Function 06A140B7 Relevance: .1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d6946c5ab16ba687fb6039e28f3ad9086f0b503dda4d51e1e5a03abffe2b8b15
                                                                                  • Instruction ID: 687da697e2fe510d238a21f9661042623f1934aa20c187f6710bf2c0a57a6f0d
                                                                                  • Opcode Fuzzy Hash: d6946c5ab16ba687fb6039e28f3ad9086f0b503dda4d51e1e5a03abffe2b8b15
                                                                                  • Instruction Fuzzy Hash: E6019632B001255BDB55A67CDC146EF77FBDBC9710F11403AD50ADB254DA258C0B87E2
                                                                                  Function 06A13D80 Relevance: .1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a8993c51fa4b712ee51dde9f8fab38d35502b38862f54cc8004eb9a37ef8b075
                                                                                  • Instruction ID: aa2c20d35f335212a772b29441683d57bf20520015d6d0bbafaed14340892854
                                                                                  • Opcode Fuzzy Hash: a8993c51fa4b712ee51dde9f8fab38d35502b38862f54cc8004eb9a37ef8b075
                                                                                  • Instruction Fuzzy Hash: FC21C3B5D01259AFCB10DF9AD884ADEFFB4FB49320F10811AE918A7240D3786A54CFE5
                                                                                  Function 06A1F287 Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 11341184175f6ebd6b665f10413077aaf6b15416a556aca4622c0eea79db70e8
                                                                                  • Instruction ID: 8a16950e288cd8929c903f78496689ff45df35ec1d12eb7bd5e65d77e1ac1ec6
                                                                                  • Opcode Fuzzy Hash: 11341184175f6ebd6b665f10413077aaf6b15416a556aca4622c0eea79db70e8
                                                                                  • Instruction Fuzzy Hash: 0601A235B000615FDF65A7B9A4A476EA7D6DBC9721F10883AE10ACF344EE21DD4347D1
                                                                                  Function 0144D113 Relevance: .1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4502200818.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_144d000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 212b96ca827b798fa91ccd41c0eac3b093082415815754ec50078a914fdf967d
                                                                                  • Instruction ID: f951c5ce6568e63f14a1560c31aeea201c4dadf21ef4e5c0d148c28069906e92
                                                                                  • Opcode Fuzzy Hash: 212b96ca827b798fa91ccd41c0eac3b093082415815754ec50078a914fdf967d
                                                                                  • Instruction Fuzzy Hash: 8B11BE75904280CFEB06CF14C5C4B16BF62FB54214F24C6AADC494B762C33AD44ACB51
                                                                                  Function 06A13D88 Relevance: .1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3f3821c50f8ec9463ec9e31159e3d75ab904af46b73e6655a11e419d68e09a38
                                                                                  • Instruction ID: bd209d8be0534a6e607964a5b33a6dc29e36766b31a27e23007bac338b1c6c3b
                                                                                  • Opcode Fuzzy Hash: 3f3821c50f8ec9463ec9e31159e3d75ab904af46b73e6655a11e419d68e09a38
                                                                                  • Instruction Fuzzy Hash: C011A2B5D01259AFCB10DF9AD884ADEFFB4FB49314F50812AE518A7240C3786954CFE5
                                                                                  Function 06A14310 Relevance: .1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5432073a3ed1491eff2eb313463f1ad4900d558a58740d0ca318471d273432a5
                                                                                  • Instruction ID: 4672aa7b357297dab43d9d24146fc55ca1940d20108edb2b8c57802509aa69a4
                                                                                  • Opcode Fuzzy Hash: 5432073a3ed1491eff2eb313463f1ad4900d558a58740d0ca318471d273432a5
                                                                                  • Instruction Fuzzy Hash: 1C016D31B005210BDB65AA6DE45472FF6DBDBC9B11F108839E10ECF354E965DD034395
                                                                                  Function 06A1F298 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: afec6ddda3cb3cf4dbb2ca530f914e45946b3113de32590069a1b4f58bad17c0
                                                                                  • Instruction ID: 11791b705ef7a91898f19064f231eafa4ea475bb03a60f47b0147092ca6e37da
                                                                                  • Opcode Fuzzy Hash: afec6ddda3cb3cf4dbb2ca530f914e45946b3113de32590069a1b4f58bad17c0
                                                                                  • Instruction Fuzzy Hash: A2018135B001610FCB65AA7DE464B2FB6DADBC9625F10883AE10ACF344DA65DD034396
                                                                                  Function 06A1A3F0 Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f7cd52f71a9a7dfb96dfa3ca14c836dfdf327f8b7c974a7cdad3a7e3a3424511
                                                                                  • Instruction ID: 6ce7978f305ac533b79c7c43a0702ae4bb45bca90716b8f2534532a92898bb10
                                                                                  • Opcode Fuzzy Hash: f7cd52f71a9a7dfb96dfa3ca14c836dfdf327f8b7c974a7cdad3a7e3a3424511
                                                                                  • Instruction Fuzzy Hash: 08018130B115240BDB65EA69E454B2EB3D6EB89764F108839E60ECF354EE21ED028B81
                                                                                  Function 06A1C8C0 Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6b69b88b8481c75d734fbb32812cceade62f01550b303a1186f0d271f5ccb2a4
                                                                                  • Instruction ID: 8d7d71004b117864a8f17c6c3891534cb13180ec6870f9ee017e6568c5a7e500
                                                                                  • Opcode Fuzzy Hash: 6b69b88b8481c75d734fbb32812cceade62f01550b303a1186f0d271f5ccb2a4
                                                                                  • Instruction Fuzzy Hash: A501F931B112245BCF15AE66F850A9EB77AEB84320F004139E906EF344DB35A8058BD4

                                                                                  Non-executed Functions

                                                                                  Function 06A17780 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-2843079600
                                                                                  • Opcode ID: 5bf0a13060bd68e16bef6df007880c771f835a516a076f1920b7e084040a8d1c
                                                                                  • Instruction ID: 9f650b5d4c21ee04ff1dfd650a2444c5440aa7b37bb2cc9ff43c6e61f0bfdbd2
                                                                                  • Opcode Fuzzy Hash: 5bf0a13060bd68e16bef6df007880c771f835a516a076f1920b7e084040a8d1c
                                                                                  • Instruction Fuzzy Hash: DA121C30E002198FDB68EF69D994AADB7F2BF88304F249569D409AB354DB30DD85CF91
                                                                                  Function 06A1AA10 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-1273862796
                                                                                  • Opcode ID: 333258c36bc60f841b58cc965f8ee6aa8ec3359d03017f33e364fb7496529b3e
                                                                                  • Instruction ID: 7ab8e1a9cd16f98e5f6e4d504a7103454758847caaade4b3df36c09860435b99
                                                                                  • Opcode Fuzzy Hash: 333258c36bc60f841b58cc965f8ee6aa8ec3359d03017f33e364fb7496529b3e
                                                                                  • Instruction Fuzzy Hash: E2917D30A022099FEB68EFA5E594B6EB7F6FF44301F108529E9059F3A5DB349C41CB90
                                                                                  Function 06A17180 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-981061697
                                                                                  • Opcode ID: 68619dea9e2d7bd1c66d2d03b91427ac4a2020996d426486f770dfb8a3b9c00d
                                                                                  • Instruction ID: 2b98c8fcc1bfb770c8c19492934378cb8a0f5a3e530cbb5c9669cf667df73ecf
                                                                                  • Opcode Fuzzy Hash: 68619dea9e2d7bd1c66d2d03b91427ac4a2020996d426486f770dfb8a3b9c00d
                                                                                  • Instruction Fuzzy Hash: CFF14C34A01209CFDB59EFA5E590A6EB7B7FF84300F218569E4159B368DB34EC42CB91
                                                                                  Function 06A184B8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-858218434
                                                                                  • Opcode ID: a12edc3a91f09aa1900f4bf48ee911bb6705392fd1df3c850699d6802fb28c92
                                                                                  • Instruction ID: db370fb84a15c87944bf730da377099e833998faad7b78fd641db8abf0157e03
                                                                                  • Opcode Fuzzy Hash: a12edc3a91f09aa1900f4bf48ee911bb6705392fd1df3c850699d6802fb28c92
                                                                                  • Instruction Fuzzy Hash: 17B13B30E012198FDB58EFA9D59066EB7B6FF84305F248929D406AF354DB39DC82CB90
                                                                                  Function 06A188D0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LR]q$LR]q$$]q$$]q
                                                                                  • API String ID: 0-3527005858
                                                                                  • Opcode ID: 66329a3888e380cad61e45ab82fc96dfdb7fe74d0cbaf2bb1a859f70746cdf7e
                                                                                  • Instruction ID: 8716fd6118af6ecf066085417670c62ef6b6e6d90e3770073568e6f354a9df9c
                                                                                  • Opcode Fuzzy Hash: 66329a3888e380cad61e45ab82fc96dfdb7fe74d0cbaf2bb1a859f70746cdf7e
                                                                                  • Instruction Fuzzy Hash: 3C51B130B002059FDB58EF29D990A6AB7F6FF88310F118569E4069F3A8DA34EC41CB91
                                                                                  Function 06A1AD9A Relevance: 5.2, Strings: 4, Instructions: 165COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000005.00000002.4507686785.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_5_2_6a10000_jsc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $]q$$]q$$]q$$]q
                                                                                  • API String ID: 0-858218434
                                                                                  • Opcode ID: f8869dcd28d4e38cc15f5d25030ecb1599728b570d06493d88aae219c449ec4b
                                                                                  • Instruction ID: d34d925095f302f160f7f1956bd6a583dd84e3b8d07e8a9e45b1833cfbdce139
                                                                                  • Opcode Fuzzy Hash: f8869dcd28d4e38cc15f5d25030ecb1599728b570d06493d88aae219c449ec4b
                                                                                  • Instruction Fuzzy Hash: FB51A130A122148FDF65EF68E580AAEB3B6EF89310F148529E915DF354DB30DD42CB91

                                                                                  Executed Functions

                                                                                  Function 00E90E39 Relevance: 2.6, Strings: 2, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2170697262.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_e90000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: tP]q$tP]q
                                                                                  • API String ID: 0-145478062
                                                                                  • Opcode ID: ec4c1290d6e6bb24930c44aace2f5a85b8ef7e2b825c6abb2846bc9e9b31c40e
                                                                                  • Instruction ID: 27cddfdc328fc656e00f1f1bf782a109f5cb6e6a25137fe922940365c2fb5683
                                                                                  • Opcode Fuzzy Hash: ec4c1290d6e6bb24930c44aace2f5a85b8ef7e2b825c6abb2846bc9e9b31c40e
                                                                                  • Instruction Fuzzy Hash: 62214874B001158FCB48DFB9C448AADBBF1AF48B14B2145A9E509EB361DB35ED42CF91
                                                                                  Function 00E90E48 Relevance: 2.6, Strings: 2, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2170697262.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_e90000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: tP]q$tP]q
                                                                                  • API String ID: 0-145478062
                                                                                  • Opcode ID: 48f0c1deef44f66feb30239615bc60e5f7dad59ce78980ada6789c8006b43378
                                                                                  • Instruction ID: 2165cc770ed48ddacb31a529d35e4d107312b1d704917313528da37f6d4f096e
                                                                                  • Opcode Fuzzy Hash: 48f0c1deef44f66feb30239615bc60e5f7dad59ce78980ada6789c8006b43378
                                                                                  • Instruction Fuzzy Hash: DB212474B001158FCB48DFB9D488A6DB7F1AF48714B2145A9E509EB361EB35ED42CF90
                                                                                  Function 00E904D4 Relevance: 1.8, Strings: 1, Instructions: 527COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2170697262.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_e90000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: l.]q
                                                                                  • API String ID: 0-1248894718
                                                                                  • Opcode ID: 4783800c767486631ff9a69fec49a9de367cf3543448be84ecca1c0f9e236a40
                                                                                  • Instruction ID: 3c31381e79e8911ecfeb4a95042b1174052d2c99bf47cccce6317d44c656f50c
                                                                                  • Opcode Fuzzy Hash: 4783800c767486631ff9a69fec49a9de367cf3543448be84ecca1c0f9e236a40
                                                                                  • Instruction Fuzzy Hash: 0C31C030B002048FCB18EF79D954A6A3BEAFF89710F115969D10ADB366DB34DC05CB91
                                                                                  Function 00E90848 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2170697262.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_e90000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: l.]q
                                                                                  • API String ID: 0-1248894718
                                                                                  • Opcode ID: 43782734e23efe3c680bbbf63422c608d50a86a5efea68f33d49fb90e855c515
                                                                                  • Instruction ID: 7828a8f619e89f8cd94e7241c2f015c287e555aa2fd8bdaa53ee4bcecd3eeb9d
                                                                                  • Opcode Fuzzy Hash: 43782734e23efe3c680bbbf63422c608d50a86a5efea68f33d49fb90e855c515
                                                                                  • Instruction Fuzzy Hash: C6316A30B002048FCB58EF79D954A6A7BEAFFC9710B619868D50ADB366DB349C05CB91
                                                                                  Function 00E90E82 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2170697262.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_e90000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: tP]q
                                                                                  • API String ID: 0-2175968468
                                                                                  • Opcode ID: 7b404212367e9efe402765459c0c3a987c18f3adaa0e2ca254bc9fad285eaa3f
                                                                                  • Instruction ID: 82ed7938833e1878677d11dfee7c389ab636638d49123de523f2389ec59d7aae
                                                                                  • Opcode Fuzzy Hash: 7b404212367e9efe402765459c0c3a987c18f3adaa0e2ca254bc9fad285eaa3f
                                                                                  • Instruction Fuzzy Hash: 6D111074B40115CFCB58DF78D08896DB7B1AF48719B2140A9E80ADB371DA35ED42CF80
                                                                                  Function 00E90F28 Relevance: .1, Instructions: 79COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2170697262.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_e90000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5f587e44c67ba02297b62cbee408a50316e6c118bf55f5a47f46ffc377021fd9
                                                                                  • Instruction ID: 7ec1352ec375ef6dbcf31c341c6e9f91a7b510ba8a2cd27a1dcb5503460aa188
                                                                                  • Opcode Fuzzy Hash: 5f587e44c67ba02297b62cbee408a50316e6c118bf55f5a47f46ffc377021fd9
                                                                                  • Instruction Fuzzy Hash: 20216F75B002199FCF60DF79D880AAEB7F9EB8C714F64812AE519F3344DA309D0687A1
                                                                                  Function 00E90964 Relevance: .0, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2170697262.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_e90000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2c85b855f36b6ca7738f14c6cb2213a035200d8ef1dd889551a5c27091cf1986
                                                                                  • Instruction ID: 6f7941a6c870316127d988fe8348facc2ffbaccea671435a2182e3cd55b07594
                                                                                  • Opcode Fuzzy Hash: 2c85b855f36b6ca7738f14c6cb2213a035200d8ef1dd889551a5c27091cf1986
                                                                                  • Instruction Fuzzy Hash: 0BE0867AB001148FCB00ABB8E818A5C7364FB8D71170104A5F909D7374DB348D06C741

                                                                                  Executed Functions

                                                                                  Function 02700E39 Relevance: 2.6, Strings: 2, Instructions: 74COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000E.00000002.2252289992.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_14_2_2700000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: tP]q$tP]q
                                                                                  • API String ID: 0-145478062
                                                                                  • Opcode ID: c35ba8e95ea86e9e727d48f71f495e110baae7d9616d2682bb1fdfcde2682de9
                                                                                  • Instruction ID: 75740d5e926660d854af5dd47fa432fc82ccae69ced2dc53fd21de0124aa9d20
                                                                                  • Opcode Fuzzy Hash: c35ba8e95ea86e9e727d48f71f495e110baae7d9616d2682bb1fdfcde2682de9
                                                                                  • Instruction Fuzzy Hash: 0D214674A00115CFCB48DF79D484AADB7F1EF48B14B1145A9E409DB3A1DB359D46CF80
                                                                                  Function 02700E48 Relevance: 2.6, Strings: 2, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000E.00000002.2252289992.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_14_2_2700000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: tP]q$tP]q
                                                                                  • API String ID: 0-145478062
                                                                                  • Opcode ID: 2dd939d9c0155ce3972da9692703aab54f27e944d830ce8a370c2116891e28d8
                                                                                  • Instruction ID: cc152d2ae6aacf144c96d1c2cc1f7c711b8751164f93d24af995e09cec94e08a
                                                                                  • Opcode Fuzzy Hash: 2dd939d9c0155ce3972da9692703aab54f27e944d830ce8a370c2116891e28d8
                                                                                  • Instruction Fuzzy Hash: 06211374A00115CFCB48EFB9D488A6DB7F1AF48B14B1144A9E509DB3A1EB35ED46CF90
                                                                                  Function 027004D4 Relevance: 1.8, Strings: 1, Instructions: 527COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000E.00000002.2252289992.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_14_2_2700000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: l.]q
                                                                                  • API String ID: 0-1248894718
                                                                                  • Opcode ID: 2450db6703314d8259ee98c084790a1dcf4fa67fa525b2f793806bd9d89efd65
                                                                                  • Instruction ID: 0091850f9adc59e42966bff841684ba6dcc6ebea884a85092474822439bbe5a8
                                                                                  • Opcode Fuzzy Hash: 2450db6703314d8259ee98c084790a1dcf4fa67fa525b2f793806bd9d89efd65
                                                                                  • Instruction Fuzzy Hash: D4316D34B00200CFCB14EB78D994A6A7BF6FF89B14B1049ADD14A8B3A6DB349805CB51
                                                                                  Function 02700848 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000E.00000002.2252289992.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_14_2_2700000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: l.]q
                                                                                  • API String ID: 0-1248894718
                                                                                  • Opcode ID: f97940d7d523bce2a16774106ab8297cf890f6841359aa23bfe64f2388ab8708
                                                                                  • Instruction ID: 450ede5941c41b69084451f7d279af05ba2c4e4bb12e7d7e82ec16561dd4c25d
                                                                                  • Opcode Fuzzy Hash: f97940d7d523bce2a16774106ab8297cf890f6841359aa23bfe64f2388ab8708
                                                                                  • Instruction Fuzzy Hash: 2F314E34B00204CFCB58EF79DA94A6A77E6FF89B10B104968D14ACB3A5EB349C05CB91
                                                                                  Function 02700E82 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000E.00000002.2252289992.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_14_2_2700000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: tP]q
                                                                                  • API String ID: 0-2175968468
                                                                                  • Opcode ID: 6e3f9fb29e549dd2f9589920c0c96d98121fd3422b0f18d8e924ccd9706e6b1e
                                                                                  • Instruction ID: db35b8b94daafa850f409d42796c470ed4b12ac523cc78c5a83392d4be8b2bb6
                                                                                  • Opcode Fuzzy Hash: 6e3f9fb29e549dd2f9589920c0c96d98121fd3422b0f18d8e924ccd9706e6b1e
                                                                                  • Instruction Fuzzy Hash: E011FD78A40115CFCB48DF78D088A6DB7B1AF48B25B2140A9E806CB3B1DB35EC42CF90
                                                                                  Function 02700F28 Relevance: .1, Instructions: 79COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000E.00000002.2252289992.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_14_2_2700000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: feb61ce9e11dbf494071cf15d0c342366928d30500e52998905e7e488c5f92a7
                                                                                  • Instruction ID: b273e60e6ec0dd8688f20ce4805137d9d46bb2c5dbbe0b36753a24529923d762
                                                                                  • Opcode Fuzzy Hash: feb61ce9e11dbf494071cf15d0c342366928d30500e52998905e7e488c5f92a7
                                                                                  • Instruction Fuzzy Hash: 6C219575B00204DFCB50DE79D980BAEB7F5EB89724F10412AE519E7384DB30AC068BA1
                                                                                  Function 02700F19 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000E.00000002.2252289992.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_14_2_2700000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ff47d790c38bcfd45163f99a2f63a385600fe02bbb7fe5de0c01984f4ba38e5b
                                                                                  • Instruction ID: 3fbccd5daed1f715e5c84b159b694ce164523282e5cb2ee1d30ebf7fbe6e0439
                                                                                  • Opcode Fuzzy Hash: ff47d790c38bcfd45163f99a2f63a385600fe02bbb7fe5de0c01984f4ba38e5b
                                                                                  • Instruction Fuzzy Hash: 7E015E75A002149FCB51DF78A8C0FEEBBF1EB4A724F104265E918E7391D7319E169B90
                                                                                  Function 02700964 Relevance: .0, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000E.00000002.2252289992.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_14_2_2700000_newapp.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6cd3c9765f9f071aeef8874b483613ec088428431ffd9c7661cfb85f0c2edaf0
                                                                                  • Instruction ID: 4d8da2867fc92cb13fd7e5179ba453bbde1dcae77f3b9a94c93faf9eba322e95
                                                                                  • Opcode Fuzzy Hash: 6cd3c9765f9f071aeef8874b483613ec088428431ffd9c7661cfb85f0c2edaf0
                                                                                  • Instruction Fuzzy Hash: 6BE04F36B401108FCB04ABB8E41895C7374EBC862170108A5F909CB364DB388D55C741